After a customer reached out for assistance in November, Microsoft’s Detection and Response Team (DART) uncovered a campaign built on persistent Microsoft Teams voice phishing, also known as vishing, where a threat actor impersonated IT support and targeted multiple employees, News.Az reports, citing foreign media.
***
“Following two failed attempts, the threat actor ultimately convinced a third user to grant remote access through Quick Assist, enabling the initial compromise of a corporate device,” DART explained in a blog post.
Once remote interactive access was established, the threat actor shifted from social engineering to hands-on keyboard compromise, steering the user toward a malicious website under their control.
Evidence gathered from browser history and Quick Assist artifacts showed the user was prompted to enter corporate credentials into a spoofed web form. This then initiated the download of multiple malicious payloads.
Importantly, one of the earliest artifacts – a disguised Microsoft Installer package – used trusted Windows mechanisms to sideload a malicious dynamic link library and establish outbound command-and-control, allowing the threat actor to execute code under the guise of legitimate software, DART said.
This foothold was then expanded by subsequent payload, introducing encrypted loaders, remote command execution through standard administrative tooling, and proxy-based connectivity to obscure the malicious activity.
“Over time, additional components enabled credential harvesting and session hijacking, giving the threat actor sustained, interactive control within the environment and the ability to operate using techniques designed to blend in with normal enterprise activity rather than trigger overt alarms,” DART explained.
The attack still served as a timely reminder that human nature – and the nature of work within large companies specifically – usually works against us in these types of cyberattacks.
In summary, the compromise was quite sophisticated, and the threat actor managed to combine a lot of vectors: trust, collaboration platforms, and built-in tooling.
DART reacted quickly, though. After confirming that the compromise originated from a successful Microsoft Teams vishing attack, the team was able to limit the scope of the malicious activity.
The attack still served as a timely reminder that human nature – and the nature of work within large companies specifically – usually works against us in these types of cyberattacks.
“Employees are conditioned to be responsive, helpful, and collaborative, especially when requests appear to come from internal IT or support teams,” said DART.
“Threat actors exploit that instinct, using voice phishing and collaboration tools to create a sense of urgency and legitimacy that can override caution in the moment.”Last October, Cybernews already reported about another Microsoft alert about threat actors taking advantage of Teams to gather information, trick users into sharing sensitive data, impersonate trusted sources, deliver malware through messages and calls, and even steal credentials, exfiltrate data, and maintain persistence.
Overall, Teams is a useful medium for tech support scams, which remain popular for malware delivery, and hackers are always coming up with new techniques.
