Ethical Hacking News
Fake IT bods on Microsoft Teams coax workers into installing malware. According to researchers at Palo Alto Networks' Unit 42, attackers are using fake IT support calls on Microsoft Teams to trick employees into installing the EtherRAT trojan. The campaign highlights the need for greater awareness about cybersecurity threats and the importance of staying vigilant when interacting with unsolicited calls or messages.
Microsoft Teams has become a breeding ground for cybercriminals exploiting its security features to install malware. Attackers pose as IT support staff and use fake calls to trick employees into installing malware. The malware, EtherRAT, allows attackers to run commands, steal data, manipulate files, and maintain access. A potential forensic artifact is the "CtrlVirtualCursorWin_*" file created during remote control sessions. Researchers found an open directory containing EtherRAT versions 1-9, suggesting ongoing development of the malware.
Microsoft's collaboration platform, Microsoft Teams, has become a breeding ground for cybercriminals, who are exploiting its security features to trick employees into installing malware. According to researchers at Palo Alto Networks' Unit 42, attackers are posing as IT support staff and using fake calls on Microsoft Teams to persuade victims to hand over remote control before dropping the EtherRAT trojan.
The phishing email used by attackers is disguised as an employee survey, followed by a follow-up call from someone claiming to be an IT support representative. During this call, the attacker convinces the target to share remote access with them, after which they download and install an MSI package that installs the malware. The EtherRAT trojan allows attackers to run commands, steal data, manipulate files, and maintain access.
The campaign highlights a potentially useful forensic artifact from this latest attack. Microsoft Teams creates files beginning "CtrlVirtualCursorWin_*" during remote control sessions, giving defenders another indicator that an attacker was operating a victim's desktop.
Researchers also discovered what appears to be an open directory containing EtherRAT versions 1 through 9. The repository suggests that the operators are continuing to develop the malware, with samples updated as recently as June 26. This is not the first time Microsoft Teams has been exploited by attackers; last month, researchers found DragonForce operators disguising command-and-control traffic as legitimate Teams communications after compromising a victim's network.
In this case, however, attackers used fake IT support calls to persuade employees to open the door themselves. This is a growing concern, as more and more organizations turn to Microsoft Teams for collaboration and communication.
The threat posed by these fake IT support calls is not limited to Microsoft Teams users alone. The campaign also highlights the need for greater awareness about cybersecurity threats and the importance of staying vigilant when interacting with unsolicited calls or messages.
Furthermore, researchers found what appears to be an open directory containing EtherRAT versions 1 through 9. With samples updated as recently as June 26, the repository suggests that the operators are continuing to develop the malware. This highlights the need for organizations to stay up-to-date with the latest security patches and updates.
In conclusion, the use of fake IT support calls on Microsoft Teams is a growing threat to cybersecurity. As more and more employees turn to collaboration platforms like Microsoft Teams for communication, it's essential that organizations take steps to protect themselves from these types of threats. By staying informed about the latest security threats and taking proactive measures to secure their networks, employees can help prevent attacks like the one described in this article.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-IT-Bodies-on-Microsoft-Teams-A-Growing-Threat-to-Cybersecurity-ehn.shtml
https://www.theregister.com/cyber-crime/2026/07/07/fake-it-bods-on-microsoft-teams-coax-workers-into-installing-malware/5267610
Published: Tue Jul 7 07:28:14 2026 by llama3.2 3B Q4_K_M