Microsoft Teams used in sophisticated hack attack.
Phishing attacks are getting increasingly sophisticated, from the use of smartphone farms to launch attacks, to hard to detect AI-driven threats, to the use of legitimate Microsoft 365 emails to bypass security controls. But the phishing attack is only the first stage of the process, as this multi-level hack attack targeting Microsoft Teams users demonstrates only too well.
Microsoft Teams Message Delivers Malicious Payload
Signed, side loaded and compromised. That’s how security researchers at the Ontinue Cyber Defence Centre have described a sophisticated multi-stage attack that starts with a Microsoft Teams message delving a malicious PowerShell payload, and, by way of remote access tooling and living off the land binaries, gains initial access and the persistence through a JavaScript-based backdoor on victim devices.
“This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,” the researchers warned.
Although the Ontinue researchers were unable to attribute the attacks with a high-level of confidence, they did find a number of striking similarities with a threat actor identified by Microsoft as Storm-1811.
The full technical details can be found in the report, but the researchers found that the attack started with the threat actors sending a message by way of Microsoft Teams creating an external chat. “The actor transmitted a PowerShell command directly via the Teams message,” Ontinue said, “and also utilised the QuickAssist remote tool to gain access to the target device remotely.”
The root cause of the incident was a video messaging attack, something that I have already reported is surging with an increase of 1633% in quarter one of 2025 alone. “This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,” Ontinue concluded.
I have reached out to Microsoft for a statement.
Mitigating The Microsoft Teams Attack
J Stephen Kowski, field chief technology officer at SlashNext Email Security+, said that real-time scanning across all communication channels, not just email, is essential since these attacks often start with social engineering before deploying malicious tools, such as sideloaded DLLs. “Advanced protection that combines computer vision, natural language processing, and behavioral analysis can identify these sophisticated attacks even when they use legitimate-looking tools or QR codes,” Kowski concluded.
“The attacker sideloaded a malicious DLL that dynamically commandeered a trusted process, transforming routine remote support into a covert entry point,” Jason Soroko, a senior fellow at Sectigo, said. Calling every move made by the threat actor “lean,” Soroko advised that security teams should be on the lookout for “Microsoft Teams messages containing PowerShell commands, unexpected use of QuickAssist, and signed binaries running from nonstandard locations.”