Microsoft Teams Targeted by Fake IT Support Scams
▼ Summary
– Security researchers have uncovered new phishing campaigns using Microsoft Teams to deliver malware by impersonating IT support staff.
– Attackers trick employees into installing remote access tools like QuickAssist or AnyDesk, granting them full control over corporate systems.
– These attacks have been linked to financially motivated threat actors known as EncryptHub, who previously targeted IT professionals and developers.
– Microsoft Teams has become an attractive target due to its deep integration in enterprise communication, allowing attackers to bypass traditional email defenses.
– Security teams are advised to monitor for unusual Teams activity, particularly external communications that may hide social engineering attempts.
A concerning new trend in cybercrime has emerged, with security experts identifying a surge in phishing attacks exploiting Microsoft Teams to distribute malware. These sophisticated campaigns, recently documented by cybersecurity analysts, involve fraudulent IT support accounts designed to deceive employees into installing unauthorized remote access tools. Once installed, these programs grant attackers complete control over corporate networks, posing a severe threat to organizational security.
Attackers are increasingly shifting their focus from traditional email-based phishing to collaboration platforms like Microsoft Teams, which has become integral to daily business operations since its introduction. The platform’s widespread adoption makes it a high-value target for social engineering. Malicious actors create accounts impersonating IT personnel using names such as “IT SUPPORT” or “Help Desk,” sometimes even adding checkmark emojis to mimic verified status. Employees, accustomed to trusting internal communications on Teams, often fall for these deceptive tactics without suspicion.
The attack sequence typically begins with an unsolicited message from what appears to be a legitimate support representative. The target is persuaded to download remote access applications like QuickAssist or AnyDesk under the guise of resolving a technical issue. Once launched, these tools provide threat actors with unfettered access to the system, enabling them to deploy information-stealing malware, capture login credentials, and establish long-term persistence within the network.
Earlier this year, similar methods were associated with BlackBasta ransomware operations. More recent incidents, however, have been connected to additional malware families including DarkGate and the Matanbuchus loader. In one documented case, a malicious PowerShell script demonstrated advanced capabilities for maintaining access, harvesting sensitive data, and communicating covertly with command-and-control servers.
Researchers attribute these campaigns to a financially motivated threat group identified as EncryptHub, also known by aliases including LARVA-208 and Water Gamayun. This actor has a history of blending social engineering with zero-day vulnerabilities and custom malware, often focusing on IT professionals, software developers, and individuals in the Web3 space. A consistent pattern in their operations, the reuse of static cryptographic constants, provides defenders with a valuable fingerprint for tracking their tools across multiple incidents.
By operating within Microsoft Teams, attackers effectively bypass conventional email security filters and embed their malicious activities into trusted organizational communication channels. Security teams are advised to remain vigilant for unusual Teams behavior, particularly external messages that may serve as a gateway for social engineering. Proactive monitoring and user education are critical in defending against these increasingly prevalent and dangerous threats.
(Source: InfoSecurity)
