Microsoft Teams Vishing Campaign Deploys Nimbus RAT via Quick Assist and Cloud Services
Attackers used email bombing and fake IT support messages over Microsoft Teams to trick employees into launching Windows Quick Assist, giving remote access that led to the deployment of Nimbus RAT. eSentire said the campaign targeted corporate organizations globally, with notable impact on the legal sector, and observed a full compromise path from Teams contact to RAT execution in under 20 minutes. In one documented intrusion, the victim received more than 280 legitimate subscription emails before being contacted by an actor-controlled Teams account, then was directed to download malware from a compromised Microsoft 365 tenant hosted on SharePoint.
Nimbus RAT is a Java-based backdoor bundled with OpenJDK to run on Windows systems and uses Google Drive and Google Sheets for command-and-control, helping malicious traffic blend into normal SaaS activity. Researchers said the malware supports command execution, file and registry manipulation, screenshot capture, in-memory payload execution, and credential theft, while a secondary tool, InboxSetupPro, uses OneDrive for exfiltration and steals communications data including Signal attachments and large offline email archives. eSentire reported 1,540 similar Teams-related events across 172 customer environments, with activity rising sharply from December 2025 through March 2026, prompting recommendations to restrict external Teams communications, disable Quick Assist where possible, monitor transfers to public cloud storage, and train users to spot email-flooding and fake helpdesk tactics.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Attackers compromise legal-sector victim with Teams vishing and Nimbus RAT
In April 2026, attackers targeted a legal-sector organization with email bombing, fake IT support contact over Microsoft Teams, and Quick Assist social engineering to deploy Nimbus RAT from a compromised Microsoft 365 tenant.
Researchers identify Teams-to-Quick Assist Nimbus RAT campaign
eSentire’s Threat Response Unit identified a coordinated cyber espionage campaign using email bombing, Microsoft Teams vishing, Quick Assist, and compromised Microsoft 365 infrastructure to deliver Nimbus RAT and the InboxSetupPro data theft tool.
Teams vishing activity observed across customer environments
eSentire telemetry recorded 1,540 similar Microsoft Teams-related events across 172 customer environments between December 2025 and March 2026, indicating a broader campaign abusing Teams and related cloud services.
JUMPSEC identifies Remcos RAT phishing campaign tied to BlackToad
JUMPSEC’s Detection and Response Team identified a phishing campaign using Thai-language payment-slip lures, WinRAR self-extracting archives, and temporary network disruption to deploy Remcos RAT. Investigators attributed the cluster to BlackToad and linked it behaviorally to the SilverTerrier ecosystem and the BoredFluff campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware
cybersecuritynews.com
Open sourceMicrosoft Teams Vishing Attack Drops Nimbus RAT
securityonline.info
Open sourceRemcos RAT Phishing Campaign Uses Network Blackout
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Mar 21, 2026
Microsoft Teams Social Engineering Abuses Quick Assist to Deploy A0Backdoor
A social-engineering campaign targeting employees at **financial and healthcare** organizations is abusing **Microsoft Teams** chats/calls to trick users into granting remote access via *Windows Quick Assist*, enabling deployment of a newly identified malware family dubbed **A0Backdoor**. The activity begins with **email bombing** (flooding inboxes with spam) followed by an attacker impersonating internal IT over Teams, offering help and then persuading the victim to start a Quick Assist session; the tradecraft overlaps with tactics previously attributed to **Blitz Brigantine / Storm-1811**, which Microsoft has linked to **Black Basta**-associated operations. Post-access, the actor deploys **digitally signed MSI installers** masquerading as Teams-related components and *CrossDeviceService* (associated with Windows *Phone Link*), sometimes delivered via **tokenized links** from Microsoft personal cloud storage to appear trustworthy and hinder collection. BlueVoyant reported the installers drop files into user `AppData` paths that mimic legitimate Microsoft locations and use **DLL sideloading** (e.g., a malicious `hostfxr.dll`) to execute an in-memory loader that decrypts shellcode, performs sandbox checks, and ultimately extracts and runs **A0Backdoor** (using **AES**-encrypted payloads and a **SHA-256**-derived key), with anti-analysis behavior including excessive thread creation intended to disrupt debugging.
Apr 30, 2026
Ransomware Campaigns Use Email Bombing and Microsoft Teams Vishing for Initial Access
Sophos MDR reported two ransomware campaigns that combined **email bombing** with **voice phishing over Microsoft Teams** to gain initial access to targeted organizations. In the observed intrusions, attackers overwhelmed users with large volumes of emails and then contacted them through Teams while impersonating IT or help desk staff, using the confusion to persuade victims to grant remote access or follow attacker-directed steps. The activity highlights how adversaries are blending social engineering with trusted enterprise collaboration tools to bypass technical defenses. The campaigns were tied to ransomware operations and show a repeatable intrusion pattern in which attackers exploit user fatigue, trust in internal support workflows, and the widespread use of Microsoft 365 services. The reported tradecraft underscores the need for organizations to harden Teams and remote-support processes, verify help desk interactions through separate channels, and train staff to treat unsolicited support calls during email floods as suspicious, especially when they involve requests for remote access, credential entry, or security tool changes.
May 29, 2026