{"id":2534,"date":"2025-08-29T00:53:33","date_gmt":"2025-08-29T00:53:33","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/29\/fake-it-support-attacks-hit-microsoft-teams\/"},"modified":"2025-08-29T00:53:33","modified_gmt":"2025-08-29T00:53:33","slug":"fake-it-support-attacks-hit-microsoft-teams","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/29\/fake-it-support-attacks-hit-microsoft-teams\/","title":{"rendered":"Fake IT Support Attacks Hit Microsoft Teams"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-654c6429-bcbf-4983-95ea-5722c289f409\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new wave of phishing attacks abusing Microsoft Teams to deliver malware has been uncovered by security researchers.<\/p>\n<p>The campaigns, observed by Permiso, use fake IT support accounts to trick employees into installing remote access software, giving attackers direct control over corporate systems.<\/p>\n<h2>Microsoft Teams Emerges as a High-Value Target<\/h2>\n<p>Phishing by email remains the most common method for gaining access, but attackers are increasingly turning to platforms used for daily collaboration. Since its 2017 release, Microsoft Teams has become deeply embedded in enterprise communication, making it an attractive target.<\/p>\n<p>Permiso said recent campaigns show attackers creating Teams accounts that impersonate support staff with names like \u201cIT SUPPORT,\u201d\u00a0\u201cHelp Desk\u201d\u00a0or department-based aliases. Some accounts even feature checkmark emojis to appear verified.<\/p>\n<p>Despite their simplicity, these impersonation tactics are often successful, as employees frequently assume that communication on Teams is legitimate.<\/p>\n<p><em>Read more on phishing attacks: Mobile Phishing Attacks Surge with 16% of Incidents in US<\/em><\/p>\n<h2>How the Attacks Unfold<\/h2>\n<p>The attackers\u2019\u00a0objective in these attacks is to establish control of a victim\u2019s machine. After initiating contact, they push employees to download remote access tools such as QuickAssist or AnyDesk.<\/p>\n<p>Once installed, these programs allow the threat actor to take full control of the system, deploy malware for stealing credentials and establish persistence to maintain long-term access.<\/p>\n<p>Earlier versions of this technique, seen in May 2024, were tied to BlackBasta ransomware operations. However, newer incidents have been linked to different strains, including DarkGate and the Matanbuchus loader.<\/p>\n<p>In one case, a PowerShell script downloaded from a malicious domain demonstrated capabilities for persistence, credential theft and encrypted communication with attacker-controlled servers.<\/p>\n<h2>The Group Behind the Campaigns<\/h2>\n<p>Permiso investigators have attributed the activity to a financially motivated actor known as EncryptHub (also known as LARVA-208 or Water Gamayun).<\/p>\n<p>This group has previously combined social engineering with zero-day exploits and custom malware. Their past operations targeted English-speaking IT staff, developers and Web3 professionals.<\/p>\n<p>\u201cThe reuse of static cryptographic constants across campaigns is a notable operational weakness, one that enables defenders to pivot in malware repositories and track this group\u2019s tooling over time,\u201d\u00a0Permiso explained.<\/p>\n<p>By leveraging Microsoft Teams, attackers are bypassing traditional email defenses and embedding their operations within trusted corporate workflows.<\/p>\n<p>Security teams are urged to monitor for unusual Teams activity, especially external communications that could conceal social engineering attempts.<\/p>\n<\/p><\/div>\n<div id=\"layout-8aac99ae-8d27-466f-8a1e-e54fd52c66b4\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"1\">\n<p>Image\u00a0credit: DANIEL CONSTANTE \/ Shutterstock.com<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new wave of phishing attacks abusing Microsoft Teams to deliver malware has been uncovered by security researchers. The campaigns, observed by Permiso, use fake IT support accounts to trick employees into installing remote access software, giving attackers direct control over corporate systems. Microsoft Teams Emerges as a High-Value Target Phishing by email remains the<\/p>\n","protected":false},"author":2,"featured_media":2535,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2534","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2534-34e8f3d7-19f1-4f3e-8658-5faea42242f3-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2534"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2534\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2535"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2534"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}