News
Security Firm Reveals Voice Phishing Attack Targeting Microsoft Teams
Security researchers at Ontinue's Cyber Defense Center have uncovered a complex, multi-stage cyberattack that leveraged social engineering, remote access tools and signed binaries to infiltrate and persist within a target network.
The campaign, which the company revealed in a report Tuesday, began with a vishing (voice phishing) attempt, where the threat actor exploited Microsoft Teams' external messaging capabilities to deliver a malicious PowerShell payload. After social engineering the target into running the script, the actor used Microsoft Quick Assist to gain remote access to a targeted machine.
Once inside the network, the attacker deployed a signed TeamViewer binary alongside a malicious DLL named "TV.dll," which was sideloaded to execute second-stage malware. The use of signed binaries allowed the threat actor to evade many endpoint detection and response (EDR) solutions that trust such files by default.
The second stage involved a JavaScript-based backdoor (index.js) executed via a renamed Node.js binary (hcmd.exe). This backdoor enabled command-and-control capabilities, using Socket.IO to allow remote attackers to issue system-level commands.
The attacker set up persistence by creating a startup shortcut that launched the malicious TeamViewer file every time the system rebooted. They also used Windows’ Background Intelligent Transfer Service (BITS) to quietly move data and stage malware for up to 90 days.
To stay hidden, the attacker used advanced evasion techniques such as process hollowing, API hooking, and checks for virtual machines or debugging tools. Functions like IsDebuggerPresent and IsProcessorFeaturePresent were used to detect if the malware was running in a sandbox or under analysis.
The attacker also ran system scans using Windows Management Instrumentation (WMI) to collect details about the machine and security software. For lateral movement, they used psexec.exe, and they stole saved login credentials from web browsers.
While it's unclear who the group responsible is, Ontinue notes that the tactics used closely resemble those of Storm-1811, a threat actor previously documented by Microsoft. Known for abusing Quick Assist and Microsoft Teams in social engineering campaigns, Storm-1811 has been linked to ransomware operations and other post-exploitation toolkits.
The use of vishing techniques shows how attackers are increasing their use of generative AI tools in attacks – in this case the use of AI-generated voices. It also demonstrates how emerging tools are evolving and bringing complexity to attacks. Commenting on the new report by Ontinue, Nicole Carignan, senior vice president at security firm Darktrace, said that enterprise IT must take full responsibility for keeping its data and users safe.
"As sophistication of phishing and vishing attacks continue to grow, organizations cannot rely on employees to be the last line of defense against these attacks," said Carignan. "Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate a phishing or vishing attack, or business email compromise (BEC)."