Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used Microsoft Teams to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged PowerShell chain that deployed PhantomBackdoor, a multi-stage WebSocket-based backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control.
A second report describes a similar vishing intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through Quick Assist. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious MSI and sideloaded DLL to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: Teams-based social engineering, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Cato CTRL publishes PhantomBackdoor Teams-vishing findings
Cato CTRL published research on a Teams-based vishing intrusion delivering PhantomBackdoor to an Italy-based organization. The report noted behavioral overlap with earlier SentinelOne reporting while emphasizing a different delivery method and broader concern around collaboration platforms as attack surfaces.
Microsoft publicly discloses November 2025 Teams vishing case
Microsoft publicly described the November 2025 intrusion as an example of identity-first attacks abusing trust, collaboration platforms, and legitimate Windows tools rather than software vulnerabilities. The disclosure highlighted the use of Teams and Quick Assist in the attack chain.
Microsoft DART contains and remediates the Quick Assist intrusion
Microsoft Detection and Response Team determined the compromise originated from the Teams vishing interaction, contained the incident, and found it to be short-lived and limited in scope. After remediation, Microsoft reported that no persistence mechanisms remained.
Italy-based company hit with Teams helpdesk vishing delivering PhantomBackdoor
An Italy-based consumer services company was compromised in a vishing-driven intrusion in which attackers used a Microsoft Teams helpdesk impersonation and screen-sharing interaction to get the victim to execute staged PowerShell payloads. The infection chain used fileless in-memory PowerShell, contacted maxsolutions243[.]com, and established WebSocket command-and-control for PhantomBackdoor.
Victim grants Quick Assist access, leading to corporate compromise
During the November 2025 campaign, a third employee was persuaded to grant remote access through Quick Assist and was then directed to a spoofed credential-harvesting site. The attacker used a disguised MSI package to sideload a malicious DLL, establish command-and-control, and deploy additional post-compromise capabilities.
Threat actor launches Teams vishing attempts against employees
In November 2025, a threat actor impersonating IT support over Microsoft Teams targeted employees in a corporate environment. Microsoft reported that two initial attempts against employees failed before the attacker reached a third user.
Italy-based engineering firm targeted with Teams vishing delivering PhantomBackdoor
Cato CTRL reported a social-engineering intrusion against an Italy-based engineering firm in which attackers used voice phishing and Microsoft Teams to deliver the PhantomBackdoor malware. The case highlighted Teams as a delivery vector in a vishing-led compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Vishing and Microsoft Teams Used to Deliver PhantomBackdoor | Cato Networks
catonetworks.com
Open sourceMicrosoft Teams Support Call Leads to Quick Assist Compromise in New Vishing Attack
cybersecuritynews.com
Open sourceVishing and Microsoft Teams Used to Deliver PhantomBackdoor - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Teams Social Engineering Abuses Quick Assist to Deploy A0Backdoor
A social-engineering campaign targeting employees at **financial and healthcare** organizations is abusing **Microsoft Teams** chats/calls to trick users into granting remote access via *Windows Quick Assist*, enabling deployment of a newly identified malware family dubbed **A0Backdoor**. The activity begins with **email bombing** (flooding inboxes with spam) followed by an attacker impersonating internal IT over Teams, offering help and then persuading the victim to start a Quick Assist session; the tradecraft overlaps with tactics previously attributed to **Blitz Brigantine / Storm-1811**, which Microsoft has linked to **Black Basta**-associated operations. Post-access, the actor deploys **digitally signed MSI installers** masquerading as Teams-related components and *CrossDeviceService* (associated with Windows *Phone Link*), sometimes delivered via **tokenized links** from Microsoft personal cloud storage to appear trustworthy and hinder collection. BlueVoyant reported the installers drop files into user `AppData` paths that mimic legitimate Microsoft locations and use **DLL sideloading** (e.g., a malicious `hostfxr.dll`) to execute an in-memory loader that decrypts shellcode, performs sandbox checks, and ultimately extracts and runs **A0Backdoor** (using **AES**-encrypted payloads and a **SHA-256**-derived key), with anti-analysis behavior including excessive thread creation intended to disrupt debugging.
Apr 30, 2026
Microsoft Teams Vishing Campaign Deploys Nimbus RAT via Quick Assist and Cloud Services
Attackers used **email bombing** and fake IT support messages over **Microsoft Teams** to trick employees into launching **Windows Quick Assist**, giving remote access that led to the deployment of **Nimbus RAT**. eSentire said the campaign targeted corporate organizations globally, with notable impact on the legal sector, and observed a full compromise path from Teams contact to RAT execution in under 20 minutes. In one documented intrusion, the victim received more than 280 legitimate subscription emails before being contacted by an actor-controlled Teams account, then was directed to download malware from a compromised **Microsoft 365** tenant hosted on **SharePoint**. Nimbus RAT is a Java-based backdoor bundled with **OpenJDK** to run on Windows systems and uses **Google Drive** and **Google Sheets** for command-and-control, helping malicious traffic blend into normal SaaS activity. Researchers said the malware supports command execution, file and registry manipulation, screenshot capture, in-memory payload execution, and credential theft, while a secondary tool, **InboxSetupPro**, uses **OneDrive** for exfiltration and steals communications data including **Signal** attachments and large offline email archives. eSentire reported **1,540** similar Teams-related events across **172** customer environments, with activity rising sharply from December 2025 through March 2026, prompting recommendations to restrict external Teams communications, disable Quick Assist where possible, monitor transfers to public cloud storage, and train users to spot email-flooding and fake helpdesk tactics.
Jun 4, 2026
Microsoft Teams Phishing Campaigns Drive MFA Theft and RMM-Based Intrusions
Threat actors are increasingly abusing workplace collaboration platforms, especially **Microsoft Teams**, to impersonate IT staff, vendors, and support personnel in social-engineering attacks that bypass user trust controls. Palo Alto Networks Unit 42 reported that collaboration-tool phishing accounted for **42%** of all phishing alerts seen in Cortex during the first four months of 2026, up from **30%** in the prior four-month period, showing a broader shift away from traditional email lures. The attacks commonly pressure users to approve multifactor authentication prompts or otherwise grant access, and researchers said both criminal and nation-state actors are using the technique. Cyfirma separately identified an active Teams-themed campaign that uses fake meeting transcript and recording notifications to lure victims to counterfeit landing pages hosted on compromised websites and attacker-controlled cloud infrastructure, including Cloudflare Workers and Pages. Victims are served a signed Windows installer that silently deploys a legitimate remote monitoring and management tool connected to attacker relay servers, then establishes persistence through a Windows service and registry changes, including mechanisms that survive Safe Mode with Networking. The intrusion chain also includes anti-analysis checks and credential theft via a credential provider DLL and an LSA authentication package, indicating the campaign is designed to convert a trusted collaboration message into durable unauthorized access.
Jun 24, 2026