Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used Microsoft Teams to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged PowerShell chain that deployed PhantomBackdoor, a multi-stage WebSocket-based backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control.
A second report describes a similar vishing intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through Quick Assist. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious MSI and sideloaded DLL to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: Teams-based social engineering, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Timeline
Mar 18, 2026
Cato CTRL publishes PhantomBackdoor Teams-vishing findings
Cato CTRL published research on a Teams-based vishing intrusion delivering PhantomBackdoor to an Italy-based organization. The report noted behavioral overlap with earlier SentinelOne reporting while emphasizing a different delivery method and broader concern around collaboration platforms as attack surfaces.
Mar 18, 2026
Microsoft publicly discloses November 2025 Teams vishing case
Microsoft publicly described the November 2025 intrusion as an example of identity-first attacks abusing trust, collaboration platforms, and legitimate Windows tools rather than software vulnerabilities. The disclosure highlighted the use of Teams and Quick Assist in the attack chain.
Mar 18, 2026
Microsoft DART contains and remediates the Quick Assist intrusion
Microsoft Detection and Response Team determined the compromise originated from the Teams vishing interaction, contained the incident, and found it to be short-lived and limited in scope. After remediation, Microsoft reported that no persistence mechanisms remained.
Mar 18, 2026
Italy-based company hit with Teams helpdesk vishing delivering PhantomBackdoor
An Italy-based consumer services company was compromised in a vishing-driven intrusion in which attackers used a Microsoft Teams helpdesk impersonation and screen-sharing interaction to get the victim to execute staged PowerShell payloads. The infection chain used fileless in-memory PowerShell, contacted maxsolutions243[.]com, and established WebSocket command-and-control for PhantomBackdoor.
Nov 1, 2025
Victim grants Quick Assist access, leading to corporate compromise
During the November 2025 campaign, a third employee was persuaded to grant remote access through Quick Assist and was then directed to a spoofed credential-harvesting site. The attacker used a disguised MSI package to sideload a malicious DLL, establish command-and-control, and deploy additional post-compromise capabilities.
Nov 1, 2025
Threat actor launches Teams vishing attempts against employees
In November 2025, a threat actor impersonating IT support over Microsoft Teams targeted employees in a corporate environment. Microsoft reported that two initial attempts against employees failed before the attacker reached a third user.
May 8, 2023
Italy-based engineering firm targeted with Teams vishing delivering PhantomBackdoor
Cato CTRL reported a social-engineering intrusion against an Italy-based engineering firm in which attackers used voice phishing and Microsoft Teams to deliver the PhantomBackdoor malware. The case highlighted Teams as a delivery vector in a vishing-led compromise.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Affected Products
Sources
Related Stories
Microsoft Teams Social Engineering Abuses Quick Assist to Deploy A0Backdoor
A social-engineering campaign targeting employees at **financial and healthcare** organizations is abusing **Microsoft Teams** chats/calls to trick users into granting remote access via *Windows Quick Assist*, enabling deployment of a newly identified malware family dubbed **A0Backdoor**. The activity begins with **email bombing** (flooding inboxes with spam) followed by an attacker impersonating internal IT over Teams, offering help and then persuading the victim to start a Quick Assist session; the tradecraft overlaps with tactics previously attributed to **Blitz Brigantine / Storm-1811**, which Microsoft has linked to **Black Basta**-associated operations. Post-access, the actor deploys **digitally signed MSI installers** masquerading as Teams-related components and *CrossDeviceService* (associated with Windows *Phone Link*), sometimes delivered via **tokenized links** from Microsoft personal cloud storage to appear trustworthy and hinder collection. BlueVoyant reported the installers drop files into user `AppData` paths that mimic legitimate Microsoft locations and use **DLL sideloading** (e.g., a malicious `hostfxr.dll`) to execute an in-memory loader that decrypts shellcode, performs sandbox checks, and ultimately extracts and runs **A0Backdoor** (using **AES**-encrypted payloads and a **SHA-256**-derived key), with anti-analysis behavior including excessive thread creation intended to disrupt debugging.
3 days ago
A0Backdoor Campaign Abuses Microsoft Teams and Quick Assist for Initial Access
**BlueVoyant researchers identified a social-engineering campaign** in which operators linked to **Blitz Brigantine / Storm-1811 / STAC5777**, a cluster associated with the **Black Basta** ecosystem, impersonate IT support over **Microsoft Teams** after overwhelming targets with spam email. Victims are persuaded to launch **Quick Assist**, giving the attackers remote access that is then used to deploy **A0Backdoor** through digitally signed MSI packages masquerading as legitimate Microsoft software such as *Microsoft Teams* and *CrossDeviceService*. The activity has targeted organizations in sectors including **finance** and **healthcare**, and the use of multiple code-signing certificates suggests the operators prepared the toolchain well before the observed intrusions. Once installed, **A0Backdoor** fingerprints the host and communicates with operators using **DNS tunneling** over public resolvers, helping the malware blend into normal traffic while maintaining persistence and command-and-control. The reporting is substantive threat intelligence rather than promotional or advisory content, and the only other mention of the same event is a newsletter item that cites the A0Backdoor research as one entry among many malware stories. Other references in the set cover unrelated vulnerabilities, policy developments, AI security issues, phishing, ransomware trends, and separate malware campaigns, and do not describe this specific Teams-and-Quick-Assist intrusion chain.
1 months ago
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
1 months ago