Fake IT support calls

Fake IT support calls on Microsoft Teams push EtherRAT malware

Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks.

The campaign, reported by Palo Alto Networks’ Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims’ computers.

According to a report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an “Employee Survey” lure and a malicious PDF attachment.

Shortly after opening the document, the victim receives a Microsoft Teams voice call from an external account impersonating a “System Administrator.”

The researchers observed the Teams session displaying the “External unfamiliar” label, indicating the caller belonged to a different Microsoft 365 tenant than the recipient. Audit logs showed the attacker initiated the external chat using the account [email protected][.]com while posing as IT support.

 

Talk to us on live chat or call +44 207 1004509