Nora
Blake

Microsoft Teams EtherRAT Phishing Uses Fake IT Support Calls to Deliver Malware

Nora Blake

Jul 8, 2026

6 min read

Microsoft Teams EtherRAT Phishing Uses Fake IT Support Calls to Deliver Malware

TL; DR

  • Attackers are impersonating IT support through Microsoft Teams voice calls to socially engineer employees.
  • Victims are persuaded to install legitimate remote access tools such as AnyDesk and HopToDesk.
  • A malicious MSI installer deploys EtherRAT, a Node.js-based remote access trojan.
  • The campaign relies on social engineering rather than exploiting a Microsoft Teams vulnerability.
  • Organizations should verify IT support requests, govern remote access tools, and maintain endpoint visibility to detect suspicious activity.

Microsoft Teams is becoming a new channel for social engineering

Attackers continue to adapt their tactics as organizations rely more heavily on collaboration platforms. A recently disclosed Microsoft Teams EtherRAT Phishing campaign demonstrates how Microsoft Teams can be abused as a trusted communication channel to impersonate corporate IT support and persuade employees to install remote access software before deploying EtherRAT malware.

Rather than exploiting a flaw in Microsoft Teams, the attackers reportedly rely on phishing, voice-based social engineering, and legitimate administration tools to gain hands-on access to enterprise endpoints. The campaign illustrates how trusted business workflows can become an effective initial access vector when combined with convincing impersonation.

For security teams, the incident reinforces an important lesson: protecting collaboration platforms requires more than email filtering. Organizations also need clear support verification procedures, application controls, endpoint visibility, and identity-based access policies.

Explore Hexnode XDR

How the Microsoft Teams EtherRAT attack works

Public reporting indicates that the campaign follows a carefully orchestrated sequence designed to build trust before malware is delivered.

1. A phishing email initiates the attack

The campaign begins with a phishing email using an Employee Survey lure that contains a malicious PDF attachment.

2. The victim receives a fake IT support call

After the document is opened, the employee reportedly receives a Microsoft Teams voice call from an external Microsoft 365 tenant. The caller impersonates a System Administrator or internal IT support representative.

3. Remote control is established

During the call, the attacker persuades the employee to:

  • Share their screen through Microsoft Teams
  • Grant remote control
  • Install legitimate remote administration software such as:
  • AnyDesk
  • HopToDesk

Because these applications are commonly used for legitimate remote support, employees may perceive the request as routine.

4. EtherRAT is deployed

Once remote access has been established, the attacker downloads and executes a malicious MSI installer hosted on camorreado[.]click.

The installer:

  • Downloads a legitimate Node.js runtime
  • Decrypts embedded payloads
  • Executes EtherRAT on the compromised endpoint

At the time of writing, the threat actor has not been publicly identified, and no victim organizations have been publicly disclosed.

What is EtherRAT?

EtherRAT is a Node.js-based remote access trojan (RAT) designed to provide persistent remote control of compromised systems.

According to public reporting, its capabilities include:

  • Remote command execution
  • File management
  • Persistence
  • Data theft functionality
  • Retrieval of active command-and-control (C2) infrastructure through Ethereum smart contracts

Using Ethereum smart contracts to locate command-and-control infrastructure may make the malware more resilient by allowing operators to update infrastructure without relying solely on hardcoded domains.

Although EtherRAT includes data theft capabilities, there has been no public confirmation that credentials were stolen or that data was exfiltrated in this campaign.

Why attackers are abusing Microsoft Teams

The campaign highlights a broader shift in attacker behavior. Rather than targeting software vulnerabilities, attackers increasingly exploit trusted communication channels and familiar business processes.

Several factors make Microsoft Teams an attractive platform for social engineering:

  • Employees often expect legitimate IT support interactions through collaboration tools.
  • Voice conversations can appear more credible than phishing emails alone.
  • Live interaction enables attackers to answer questions and build trust in real time.
  • Legitimate remote administration software helps disguise malicious activity as routine technical support.

The campaign does not indicate a vulnerability in Microsoft Teams itself. Instead, it demonstrates how attackers can abuse legitimate platform features and user trust to gain access to enterprise endpoints.

Enterprise security lessons from this campaign

Organizations should view this incident as an opportunity to strengthen both technical controls and employee awareness.

Verify unsolicited IT support requests

Employees should be encouraged to independently verify unexpected support calls before granting screen sharing, remote control, or software installation permissions.

Control remote administration software

Remote access applications should be limited to approved tools and authorized workflows. Managing approved applications and identifying unauthorized remote administration tools can reduce opportunities for attackers to abuse legitimate software.

Monitor endpoint activity after remote sessions

Unexpected software installation, unusual process execution, or persistence mechanisms following a remote support session should be investigated promptly.

Review Microsoft Teams external communication policies

Organizations should review external Teams communication settings and ensure employees understand how to identify external callers impersonating internal support personnel.

How Hexnode can help reduce the risk

While no platform can eliminate social engineering, layered endpoint and identity controls can help reduce the impact of attacks like this one.

Strengthen endpoint governance with Hexnode UEM

Hexnode UEM can help organizations:

  • Manage approved applications across enterprise devices
  • Apply blocklist and allowlist policies where supported
  • Identify unauthorized applications on Windows devices through Application Compliance
  • Maintain visibility into applications installed on managed endpoints
  • Enforce device compliance policies

These capabilities can help organizations govern approved applications and identify unauthorized remote administration tools on managed endpoints.

Making XDR Accessible for Every Team
Featured resource

Making XDR Accessible for Every Team

Discover how accessible XDR helps IT teams reduce alert fatigue and accelerate threat detection and response.

Download the whitepaper

Investigate suspicious endpoint activity with Hexnode XDR

Following a suspected compromise, Hexnode XDR can help security teams:

  • Detect suspicious endpoint activity
  • Review historical endpoint events
  • Respond through actions such as device isolation, process termination, or file quarantine

These capabilities support endpoint-focused investigation and response after suspicious activity has been identified.

Reinforce access policies with Hexnode IdP

Hexnode IdP can complement endpoint security by supporting:

  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Microsoft Entra ID integration
  • Device compliance validation
  • Basic conditional access based on device compliance

Requiring compliant managed devices before users access business applications can provide an additional layer of protection following suspected social engineering incidents.

FAQs

No. Based on publicly available reporting, the campaign abuses Microsoft Teams as a trusted communication channel through social engineering. There is no indication that attackers exploited a vulnerability in Microsoft Teams itself.

Public reports describe data theft capabilities but do not confirm that attackers stole credentials during this campaign.

Conclusion

The Microsoft Teams EtherRAT phishing campaign demonstrates how attackers increasingly rely on trusted collaboration platforms and human interaction rather than software vulnerabilities to compromise enterprise environments.

By combining phishing emails, fake IT support calls, legitimate remote administration tools, and remote access malware, the campaign blurs the line between routine technical support and malicious activity.

Reducing the risk requires a layered approach that combines user awareness, application management, endpoint investigation, and identity-based access controls. As collaboration platforms continue to play a central role in enterprise operations, organizations should ensure that their security strategy extends beyond email to every trusted communication channel employees use.

Share

Nora Blake

I write at the intersection of technology, process, and people, focusing on explaining complex products with clarity. I break down tools, systems, and workflows without any noise, jargon, or the hype.