A new wave of phishing attacks abusing Microsoft Teams to deliver malware has been uncovered by security researchers.
The campaigns, observed by Permiso, use fake IT support accounts to trick employees into installing remote access software, giving attackers direct control over corporate systems.
Microsoft Teams Emerges as a High-Value Target
Phishing by email remains the most common method for gaining access, but attackers are increasingly turning to platforms used for daily collaboration. Since its 2017 release, Microsoft Teams has become deeply embedded in enterprise communication, making it an attractive target.
Permiso said recent campaigns show attackers creating Teams accounts that impersonate support staff with names like “IT SUPPORT,”“Help Desk”or department-based aliases. Some accounts even feature checkmark emojis to appear verified.
Despite their simplicity, these impersonation tactics are often successful, as employees frequently assume that communication on Teams is legitimate.
Read more on phishing attacks: Mobile Phishing Attacks Surge with 16% of Incidents in US
How the Attacks Unfold
The attackers’objective in these attacks is to establish control of a victim’s machine. After initiating contact, they push employees to download remote access tools such as QuickAssist or AnyDesk.
Once installed, these programs allow the threat actor to take full control of the system, deploy malware for stealing credentials and establish persistence to maintain long-term access.
Earlier versions of this technique, seen in May 2024, were tied to BlackBasta ransomware operations. However, newer incidents have been linked to different strains, including DarkGate and the Matanbuchus loader.
In one case, a PowerShell script downloaded from a malicious domain demonstrated capabilities for persistence, credential theft and encrypted communication with attacker-controlled servers.
The Group Behind the Campaigns
Permiso investigators have attributed the activity to a financially motivated actor known as EncryptHub (also known as LARVA-208 or Water Gamayun).
This group has previously combined social engineering with zero-day exploits and custom malware. Their past operations targeted English-speaking IT staff, developers and Web3 professionals.
“The reuse of static cryptographic constants across campaigns is a notable operational weakness, one that enables defenders to pivot in malware repositories and track this group’s tooling over time,”Permiso explained.
By leveraging Microsoft Teams, attackers are bypassing traditional email defenses and embedding their operations within trusted corporate workflows.
Security teams are urged to monitor for unusual Teams activity, especially external communications that could conceal social engineering attempts.
Imagecredit: DANIEL CONSTANTE / Shutterstock.com