FHN 
Security researchers have uncovered an active phishing campaign that leverages Microsoft Teams-themed lures to distribute legitimate remote access software configured for unauthorized access. By impersonating trusted workplace collaboration services, threat actors are increasing the likelihood that users will interact with malicious links and download compromised installers. This significant threat highlights the dangers of Microsoft Teams phishing.
The campaign primarily targets users with notifications related to meeting transcripts, recordings, and shared documents. These messages direct victims to professionally crafted phishing pages designed to closely resemble legitimate Microsoft Teams and productivity service interfaces, making Microsoft Teams phishing a critical concern for end-users.
Attack Chain Relies on Trusted Infrastructure
The threat actors behind the campaign are using a combination of compromised business websites and cloud-hosted infrastructure to host phishing content and malware delivery mechanisms. Researchers observed malicious pages hosted on legitimate domains belonging to organizations such as hotels, law firms, schools, healthcare providers, and other small businesses across multiple countries.
Once a victim downloads and executes the installer, the malware deploys a legitimate remote access tool that has been preconfigured with attacker-controlled settings. This approach enables cybercriminals to establish remote connectivity while reducing suspicion, as the software itself is not inherently malicious.
To improve operational resilience, the attackers frequently rotate domains, infrastructure, and lure themes, allowing them to target different departments and organizations while minimizing the impact of takedowns.
Persistence and Evasion Capabilities
Analysis of the installer revealed several defense-evasion techniques designed to hinder detection and analysis. These include environment checks, anti-debugging mechanisms, delayed execution routines, and obfuscated components intended to complicate forensic investigations.
Following installation, the malware establishes multiple persistence mechanisms to ensure long-term access to compromised systems. Researchers observed the creation of Windows services, registry modifications, and authentication-related components that enable the threat actors to maintain access and potentially harvest credentials.
MITRE FRAMEWORK
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1547.002 | Boot or Logon Autostart Execution: Authentication Package |
| Persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking |
| Credential Access | T1556 | Modify Authentication Process |
| Discovery | T1120 | Peripheral Device Discovery |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
| Command and control | T1219 | Remote Access Tool |
Key Security Concerns
- Abuse of trusted Microsoft Teams branding to increase phishing success.
- Use of legitimate remote access software for unauthorized system access.
- Hosting of phishing infrastructure on compromised business websites.
- Multiple persistence mechanisms designed to survive remediation efforts.
The campaign highlights a growing trend in cybercrime operations where attackers increasingly rely on trusted platforms, reputable domains, and legitimate software to evade traditional security controls. Organizations should treat unexpected file downloads, meeting notifications, and transcript-sharing requests with caution, even when they appear to originate from familiar services or trusted websites.
About the Author
