A new phishing campaign targeting Microsoft Teams has been uncovered, where attackers impersonate IT support staff to deploy remote access tools and compromise corporate systems.

Microsoft Teams as a Growing Target

While email phishing remains the most common entry point for cyberattacks, threat actors are increasingly exploiting collaboration platforms that employees trust. Since its launch in 2017, Microsoft Teams has become a core tool for enterprise communication, making it an attractive vector for social engineering.

According to security researchers at Permiso, attackers are creating fake Teams accounts with names such as “IT SUPPORT”, “Help Desk”, or department-style aliases. Some even use checkmark emojis to appear verified, making the deception more convincing.

Because employees often assume that internal Teams messages are legitimate, these simple impersonation tactics have proven surprisingly effective.

Attack Methodology

The goal of these operations is to gain full control over a victim’s device. Once contact is established, the fake IT staff urge employees to install remote access software like QuickAssist or AnyDesk.

Once installed, attackers can take over the system, steal credentials, deploy additional malware, and maintain persistence for long-term access.

Earlier versions of this attack pattern, observed in mid-2024, were associated with BlackBasta ransomware. More recent incidents, however, have been tied to malware families such as DarkGate and the Matanbuchus loader.

In one notable case, a malicious PowerShell script was retrieved from a rogue domain. The script demonstrated capabilities for persistence, credential harvesting, and encrypted communication with attacker-controlled servers.

Attribution: EncryptHub

The campaigns have been linked to a financially motivated group known as EncryptHub (also tracked as LARVA-208 or Water Gamayun).

This actor has a history of combining social engineering with zero-day exploits and custom malware. Their past activity has targeted English-speaking IT administrators, developers, and professionals in the Web3 space.

Permiso researchers noted an operational weakness in these campaigns: the reuse of static cryptographic constants across malware samples. This flaw allows defenders to pivot across repositories and track the group’s evolving toolset.

Defenses and Recommendations

By exploiting Microsoft Teams, attackers are bypassing traditional email security controls and embedding malicious activity within trusted collaboration workflows.

Security teams are urged to:

• Monitor Teams activity for suspicious or external communications.
• Educate employees to verify unusual IT support requests.
• Restrict or monitor the use of remote access tools within corporate environments.

As collaboration platforms continue to grow, attackers will increasingly exploit them—making security awareness and proactive monitoring essential defenses.

Source: https://www.infosecurity-magazine.com/news/fake-support-attacks-hit-microsoft