Security Advisory:

A new wave of social engineering attacks is exploiting Microsoft Teams, one of the most trusted enterprise collaboration platforms as a malware delivery channel.

Threat actors are impersonating IT support staff to trick employees into installing remote access tools and running malicious PowerShell scripts, enabling full compromise of victim environments. 

This campaign represents an evolution beyond traditional phishing, weaponizing corporate communication channels that employees inherently trust. Once access is established, attackers deploy multifunctional malware loaders such as DarkGate and Matanbuchus, with capabilities for credential theft, persistence, lateral movement and ransomware deployment. 

Technical Summary 

Security researchers have observed financially motivated threat groups abusing Microsoft Teams chats and calls to impersonate IT administrators. Attackers create malicious or compromised Teams accounts often using convincing display names like “IT SUPPORT ” or “Help Desk Specialist” as looking like legitimate and verified account to initiate direct conversations with employees. The social engineering process typically follows this chain 

Attack Process                                                                             Source: permiso.io 

It included the malware features 

• Credential theft via GUI-based Windows prompts. 

• Persistence using Scheduled Tasks (e.g. Google LLC Updater) or Registry Run keys. 

• Encrypted C2 communications with hardcoded AES keys & IVs. 

• Process protection via RtlSetProcessIsCritical, making malware harder to remove. 

• Harvesting system info for reconnaissance and follow-on payloads. 

The campaigns have been linked to threat actor groups such as Water Gamayun (aka EncryptHub), known for blending social engineering, custom malware and ransomware operations. 

Element	Detail
Initial Access	Direct messages/calls via Microsoft Teams impersonating IT staff
Social Engineering	Fake IT accounts with display names like “IT SUPPORT ✅” and onmicrosoft.com domains
Malicious Tools	QuickAssist, AnyDesk, PowerShell-based loaders (DarkGate, Matanbuchus)
Persistence	Scheduled Tasks (Google LLC Updater), Registry autoruns
Payload Features	Credential theft, system profiling, encrypted C2, remote execution
Target	Enterprise employees, IT professionals, developers
Objective	Credential theft, long-term access, ransomware deployment

IOCs 

Organizations are urged to block the following indicators immediately: 

Indicator	Type
https://audiorealteak[.]com/payload/build.ps1	URL
https://cjhsbam[.]com/payload/runner.ps1	URL
104.21.40[.]219	IPv4
193.5.65[.]199	IPv4
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6	UA
&9*zS7LY%ZN1thfI	Initialization Vector
123456789012345678901234r0hollah	Encryption Key
62088a7b-ae9f-2333-77a-6e9c921cb48e	Mutex
Help Desk Specialist	User Display Name
IT SUPPORT	User Display Name
Marco DaSilva IT Support	User Display Name
IT SUPPORT	User Display Name
Help Desk	User Display Name
@cybersecurityadm.onmicrosoft.com	User Principal Name
@updateteamis.onmicrosoft.com	User Principal Name
@supportbotit.onmicrosoft.com	User Principal Name
@replysupport.onmicrosoft.com	User Principal Name
@administratoritdep.onmicrosoft.com	User Principal Name
@luxadmln.onmicrosoft.com	User Principal Name
@firewalloverview.onmicrosoft.com	User Principal Name

Remediation: 

1. Strengthen Microsoft Teams Security 

• Restrict external tenants and enforce strict access control on Teams. 

• Implement anomaly detection for suspicious Teams account activity. 

• Block installation of unauthorized remote access tools (QuickAssist, AnyDesk). 

2. Enhance Endpoint & Network Defenses 

• Monitor PowerShell execution with EDR/XDR solutions. 

• Detect persistence artifacts (scheduled tasks, autorun keys, rundll32 activity). 

• Block known IoCs at DNS/firewall levels. 

 3. Employee Awareness & MFA Security 

• Train employees to verify IT support requests through independent channels. 

• Warn staff against installing software via unsolicited Teams messages. 

• Enforce multi-factor authentication (MFA) for all accounts. 

Conclusion: 
By shifting malware delivery into Microsoft Teams, attackers are exploiting a platform that enterprises inherently trust. The blending of social engineering with technical abuse of PowerShell and remote access tools makes this campaign particularly dangerous, enabling attackers to infiltrate organizations without relying on traditional email phishing. 

Organizations must treat collaboration platforms as high-value attack surfaces not just communication tools. Strengthening monitoring, restricting external interactions and training employees to validate IT requests are critical to defending against this evolving threat.  

References: 

• https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery?hs_preview=VYVYybGX-195188659586 

• https://cybersecuritynews.com/microsoft-teams-for-remote-access/