Microsoft Teams is becoming a new channel for social engineering
Attackers continue to adapt their tactics as organizations rely more heavily on collaboration platforms. A recently disclosed Microsoft Teams EtherRAT Phishing campaign demonstrates how Microsoft Teams can be abused as a trusted communication channel to impersonate corporate IT support and persuade employees to install remote access software before deploying EtherRAT malware.
Rather than exploiting a flaw in Microsoft Teams, the attackers reportedly rely on phishing, voice-based social engineering, and legitimate administration tools to gain hands-on access to enterprise endpoints. The campaign illustrates how trusted business workflows can become an effective initial access vector when combined with convincing impersonation.
For security teams, the incident reinforces an important lesson: protecting collaboration platforms requires more than email filtering. Organizations also need clear support verification procedures, application controls, endpoint visibility, and identity-based access policies.
Public reporting indicates that the campaign follows a carefully orchestrated sequence designed to build trust before malware is delivered.
1. A phishing email initiates the attack
The campaign begins with a phishing email using an Employee Survey lure that contains a malicious PDF attachment.
2. The victim receives a fake IT support call
After the document is opened, the employee reportedly receives a Microsoft Teams voice call from an external Microsoft 365 tenant. The caller impersonates a System Administrator or internal IT support representative.
3. Remote control is established
During the call, the attacker persuades the employee to:
Share their screen through Microsoft Teams
Grant remote control
Install legitimate remote administration software such as:
AnyDesk
HopToDesk
Because these applications are commonly used for legitimate remote support, employees may perceive the request as routine.
4. EtherRAT is deployed
Once remote access has been established, the attacker downloads and executes a malicious MSI installer hosted on camorreado[.]click.
The installer:
Downloads a legitimate Node.js runtime
Decrypts embedded payloads
Executes EtherRAT on the compromised endpoint
At the time of writing, the threat actor has not been publicly identified, and no victim organizations have been publicly disclosed.
The Ultimate Guide to XDR (Extended Detection and Response)
Learn how XDR unifies threat detection, investigation, and response to strengthen enterprise security.
What is EtherRAT?
EtherRAT is a Node.js-based remote access trojan (RAT) designed to provide persistent remote control of compromised systems.
According to public reporting, its capabilities include:
Using Ethereum smart contracts to locate command-and-control infrastructure may make the malware more resilient by allowing operators to update infrastructure without relying solely on hardcoded domains.
Although EtherRAT includes data theft capabilities, there has been no public confirmation that credentials were stolen or that data was exfiltrated in this campaign.
Why attackers are abusing Microsoft Teams
The campaign highlights a broader shift in attacker behavior. Rather than targeting software vulnerabilities, attackers increasingly exploit trusted communication channels and familiar business processes.
Several factors make Microsoft Teams an attractive platform for social engineering:
Employees often expect legitimate IT support interactions through collaboration tools.
Voice conversations can appear more credible than phishing emails alone.
Live interaction enables attackers to answer questions and build trust in real time.
The campaign does not indicate a vulnerability in Microsoft Teams itself. Instead, it demonstrates how attackers can abuse legitimate platform features and user trust to gain access to enterprise endpoints.
Enterprise security lessons from this campaign
Organizations should view this incident as an opportunity to strengthen both technical controls and employee awareness.
Verify unsolicited IT support requests
Employees should be encouraged to independently verify unexpected support calls before granting screen sharing, remote control, or software installation permissions.
Control remote administration software
Remote access applications should be limited to approved tools and authorized workflows. Managing approved applications and identifying unauthorized remote administration tools can reduce opportunities for attackers to abuse legitimate software.
Monitor endpoint activity after remote sessions
Unexpected software installation, unusual process execution, or persistence mechanisms following a remote support session should be investigated promptly.
Review Microsoft Teams external communication policies
Organizations should review external Teams communication settings and ensure employees understand how to identify external callers impersonating internal support personnel.
How Hexnode can help reduce the risk
While no platform can eliminate social engineering, layered endpoint and identity controls can help reduce the impact of attacks like this one.
Investigate suspicious endpoint activity with Hexnode XDR
Following a suspected compromise, Hexnode XDR can help security teams:
Detect suspicious endpoint activity
Review historical endpoint events
Respond through actions such as device isolation, process termination, or file quarantine
These capabilities support endpoint-focused investigation and response after suspicious activity has been identified.
Reinforce access policies with Hexnode IdP
Hexnode IdP can complement endpoint security by supporting:
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Microsoft Entra ID integration
Device compliance validation
Basic conditional access based on device compliance
Requiring compliant managed devices before users access business applications can provide an additional layer of protection following suspected social engineering incidents.
FAQs
Is Microsoft Teams vulnerable in this campaign?
No. Based on publicly available reporting, the campaign abuses Microsoft Teams as a trusted communication channel through social engineering. There is no indication that attackers exploited a vulnerability in Microsoft Teams itself.
Does EtherRAT steal credentials?
Public reports describe data theft capabilities but do not confirm that attackers stole credentials during this campaign.
Conclusion
The Microsoft Teams EtherRAT phishing campaign demonstrates how attackers increasingly rely on trusted collaboration platforms and human interaction rather than software vulnerabilities to compromise enterprise environments.
Reducing the risk requires a layered approach that combines user awareness, application management, endpoint investigation, and identity-based access controls. As collaboration platforms continue to play a central role in enterprise operations, organizations should ensure that their security strategy extends beyond email to every trusted communication channel employees use.
Strengthen Your Endpoint Security Strategy
See how Hexnode helps organizations manage endpoints, investigate suspicious activity, and enforce device compliance.
I write at the intersection of technology, process, and people, focusing on explaining complex products with clarity. I break down tools, systems, and workflows without any noise, jargon, or the hype.