A sophisticated phishing attack using voice phishing (vishing) through Microsoft Teams has been discovered targeting organizations by deploying malware through legitimate remote access tools. Security researchers at Ontinue's Cyber Defence Centre uncovered this multi-stage attack that combines social engineering with advanced technical exploitation.
The attackers initiate contact through Microsoft Teams voice calls, establishing trust before exploiting remote support tools like QuickAssist and TeamViewer. Once engaged, they deploy a malicious DLL file that hijacks trusted processes, creating a backdoor for remote command execution.
"The attackers transform routine remote support into a covert entry point," explains Jason Soroko, senior fellow at Sectigo. The malware establishes persistence by creating startup files and leveraging Windows Background Intelligent Transfer Service.
Security experts have noted similarities to previous campaigns by the threat group Storm-1811, known for combining vishing with remote access tool abuse, though definitive attribution remains pending.
The attack highlights growing concerns about AI-enabled social engineering. "Threat actors are getting more creative with AI-powered voice cloning to trick users," notes J Stephen Kowski, field CTO at SlashNext.
Nicole Carignan from Darktrace emphasizes that traditional security measures fall short: "Organizations cannot rely on employees to be the last line of defense against these sophisticated attacks."
Security recommendations include:
- Implementing AI-based monitoring tools
- Watching messaging platforms for suspicious activity
- Restricting remote access tool usage
- Deploying automated threat response systems
The discovery underscores the need for organizations to adapt their security approach as attackers combine social engineering with technical exploits in novel ways.