A sophisticated phishing campaign is actively targeting employees at financial and healthcare organizations by exploiting the trusted communication channel of Microsoft Teams. According to cybersecurity researchers at BlueVoyant, threat actors initiate contact via Teams, impersonating internal IT support staff. The attack chain begins with a preparatory phase where the target's email inbox is flooded with spam. The attacker then reaches out on Teams, offering assistance with the "unwanted messages" to build rapport and gain the victim's trust. Once trust is established, the attacker instructs the employee to initiate a remote support session using the built-in Windows Quick Assist tool, which provides the threat actor with remote access to the victim's machine.
The core of the attack involves the deployment of a new malware family dubbed "A0Backdoor." After gaining remote control via Quick Assist, the attacker deploys a malicious toolset. This toolset includes digitally signed MSI installer packages, which are hosted on a personal Microsoft cloud storage account to appear legitimate. These MSI files are cleverly disguised as Microsoft Teams components and the legitimate CrossDeviceService, a Windows tool used by the Phone Link app. This masquerading technique is designed to evade initial detection by both users and security software.
The malware employs advanced execution techniques to avoid analysis and maintain persistence. Using a DLL sideloading method, the attacker leverages legitimate, signed Microsoft binaries to load a malicious library named `hostfxr.dll`. This library contains compressed or encrypted payload data. Once loaded into the memory of the legitimate process, the library decrypts this data into executable shellcode and transfers execution to it, effectively bypassing traditional file-based detection mechanisms. Furthermore, BlueVoyant researchers note that the malicious library utilizes the `CreateThread` function excessively. This technique not only facilitates its malicious operations but also serves as an anti-analysis measure, as the excessive thread creation can crash debugging tools and complicate reverse-engineering efforts.
This campaign highlights a dangerous convergence of social engineering and technical evasion. By abusing trusted platforms like Microsoft Teams and built-in OS tools like Quick Assist, attackers bypass common security warnings and user skepticism. The use of signed MSI installers from a reputable cloud storage service adds another layer of deception. Organizations, especially in critical sectors like finance and healthcare, must reinforce security awareness training, emphasizing that IT support will never ask for remote access via unsolicited Teams messages. Technical controls, such as restricting Quick Assist use to approved personnel and implementing robust application allow-listing, are critical to mitigating this threat.
