Microsoft Teams Social Engineering Abuses Quick Assist to Deploy A0Backdoor
A social-engineering campaign targeting employees at financial and healthcare organizations is abusing Microsoft Teams chats/calls to trick users into granting remote access via Windows Quick Assist, enabling deployment of a newly identified malware family dubbed A0Backdoor. The activity begins with email bombing (flooding inboxes with spam) followed by an attacker impersonating internal IT over Teams, offering help and then persuading the victim to start a Quick Assist session; the tradecraft overlaps with tactics previously attributed to Blitz Brigantine / Storm-1811, which Microsoft has linked to Black Basta-associated operations.
Post-access, the actor deploys digitally signed MSI installers masquerading as Teams-related components and CrossDeviceService (associated with Windows Phone Link), sometimes delivered via tokenized links from Microsoft personal cloud storage to appear trustworthy and hinder collection. BlueVoyant reported the installers drop files into user AppData paths that mimic legitimate Microsoft locations and use DLL sideloading (e.g., a malicious hostfxr.dll) to execute an in-memory loader that decrypts shellcode, performs sandbox checks, and ultimately extracts and runs A0Backdoor (using AES-encrypted payloads and a SHA-256-derived key), with anti-analysis behavior including excessive thread creation intended to disrupt debugging.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft details lateral movement and Rclone data exfiltration in the intrusion playbook
Microsoft reported that after gaining remote access, the operators conduct reconnaissance, use trusted signed applications for DLL sideloading, move laterally over WinRM toward high-value systems such as domain controllers, and exfiltrate targeted data with Rclone to external cloud storage. The company framed the activity as a human-operated intrusion chain centered on cross-tenant helpdesk impersonation and abuse of legitimate administrative workflows.
BlueVoyant links the campaign to Black Basta-associated tradecraft evolution
BlueVoyant reported that the activity overlaps with Black Basta-associated tactics and assessed with moderate-to-high confidence that it represents an evolution of that tradecraft after the group's apparent dissolution following leaked internal chat logs. The report also noted new elements including signed MSIs, the A0Backdoor payload, and DNS MX-based command-and-control.
Attackers deploy signed MSI installers and sideload A0Backdoor after remote access
After obtaining remote access, the attackers deliver digitally signed MSI installers disguised as Microsoft Teams components or the legitimate CrossDeviceService tool, then abuse DLL sideloading with Microsoft-signed binaries and a malicious hostfxr.dll loader. The loader decrypts and launches a newly identified memory-resident payload called A0Backdoor.
Teams phishing campaign uses email bombing and fake IT chats to gain Quick Assist access
Since 2024, attackers have used a social-engineering playbook in which targets are flooded with spam emails and then contacted over Microsoft Teams by actors posing as internal IT staff, who persuade them to start a Windows Quick Assist remote session. The campaign has targeted employees in financial and healthcare organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
We Got Targeted: How Attackers Used Microsoft Teams to Own an Employee’s Machine, And How We Caught It | by SHENOBIE | Apr, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceHackers Impersonate IT Help Desk on Microsoft Teams to Gain Access, Steal Data
techrepublic.com
Open sourceMicrosoft Teams, Quick Assist weaponized in helpdesk spoofing intrusions | brief | SC Media
scworld.com
Open sourceAttackers Abuse Microsoft Teams and Quick Assist in New Helpdesk Impersonation Attack Chain - Cyber Security News
cybersecuritynews.com
Open sourceNovel A0Backdoor spread in Teams phishing operation | brief | SC Media
scworld.com
Open sourceHackers Pose as IT Staff in Microsoft Teams to Install Malware
techrepublic.com
Open sourceHackers Attack Employees Over Microsoft Teams to Trick Them Into Granting Remote Access
cybersecuritynews.com
Open sourceMicrosoft Teams phishing targets employees with backdoors
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
A0Backdoor Campaign Abuses Microsoft Teams and Quick Assist for Initial Access
**BlueVoyant researchers identified a social-engineering campaign** in which operators linked to **Blitz Brigantine / Storm-1811 / STAC5777**, a cluster associated with the **Black Basta** ecosystem, impersonate IT support over **Microsoft Teams** after overwhelming targets with spam email. Victims are persuaded to launch **Quick Assist**, giving the attackers remote access that is then used to deploy **A0Backdoor** through digitally signed MSI packages masquerading as legitimate Microsoft software such as *Microsoft Teams* and *CrossDeviceService*. The activity has targeted organizations in sectors including **finance** and **healthcare**, and the use of multiple code-signing certificates suggests the operators prepared the toolchain well before the observed intrusions. Once installed, **A0Backdoor** fingerprints the host and communicates with operators using **DNS tunneling** over public resolvers, helping the malware blend into normal traffic while maintaining persistence and command-and-control. The reporting is substantive threat intelligence rather than promotional or advisory content, and the only other mention of the same event is a newsletter item that cites the A0Backdoor research as one entry among many malware stories. Other references in the set cover unrelated vulnerabilities, policy developments, AI security issues, phishing, ransomware trends, and separate malware campaigns, and do not describe this specific Teams-and-Quick-Assist intrusion chain.
Mar 21, 2026
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Mar 21, 2026
Microsoft Teams Vishing Campaign Deploys Nimbus RAT via Quick Assist and Cloud Services
Attackers used **email bombing** and fake IT support messages over **Microsoft Teams** to trick employees into launching **Windows Quick Assist**, giving remote access that led to the deployment of **Nimbus RAT**. eSentire said the campaign targeted corporate organizations globally, with notable impact on the legal sector, and observed a full compromise path from Teams contact to RAT execution in under 20 minutes. In one documented intrusion, the victim received more than 280 legitimate subscription emails before being contacted by an actor-controlled Teams account, then was directed to download malware from a compromised **Microsoft 365** tenant hosted on **SharePoint**. Nimbus RAT is a Java-based backdoor bundled with **OpenJDK** to run on Windows systems and uses **Google Drive** and **Google Sheets** for command-and-control, helping malicious traffic blend into normal SaaS activity. Researchers said the malware supports command execution, file and registry manipulation, screenshot capture, in-memory payload execution, and credential theft, while a secondary tool, **InboxSetupPro**, uses **OneDrive** for exfiltration and steals communications data including **Signal** attachments and large offline email archives. eSentire reported **1,540** similar Teams-related events across **172** customer environments, with activity rising sharply from December 2025 through March 2026, prompting recommendations to restrict external Teams communications, disable Quick Assist where possible, monitor transfers to public cloud storage, and train users to spot email-flooding and fake helpdesk tactics.
Jun 4, 2026