Sliding Into Your Dms: Abusing Microsoft Teams for Malware Delivery
Summary:
Threat actors are increasingly abusing Microsoft Teams as a social engineering vector, taking advantage of its widespread use and the trust users place in the platform. Instead of relying solely on phishing emails, adversaries have created or compromised Teams accounts impersonating IT support staff to deliver malicious payloads. Victims are contacted through direct chats or calls, often by accounts with names like “IT Support” or “Help Desk,” and persuaded to install remote access tools such as QuickAssist or AnyDesk. This initial access enables attackers to deploy malware, steal credentials, and establish persistence.
Recent investigations revealed the use of a PowerShell-based payload capable of credential theft, persistence, and remote code execution. The malware included evasion and protection mechanisms such as mutex enforcement to prevent multiple infections, process criticality to trigger system crashes if terminated, and scheduled tasks or registry entries for persistence. It also harvested detailed system information and used credential prompts disguised as benign system requests. Communication with attacker infrastructure was encrypted with hardcoded AES keys, linking the activity to the financially motivated groups EncryptHub and LARVA-208.
Security Officer Comments:
These groups have previously combined zero-day exploits like CVE-2025-26633 with custom malware families such as SilentPrism and DarkWisp, and they have been tied to ransomware campaigns, demonstrating diverse monetization strategies. The overlap of reused cryptographic constants across campaigns provides defenders with an opportunity to track their tooling and infrastructure. The activity highlights how attackers are weaponizing trusted enterprise platforms like Microsoft Teams to expand social engineering operations, evade detection, and deliver advanced multi-stage payloads.
Suggested Corrections:
Permiso researchers have published IOCs that can be used for detection:
https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery
Organizations should enforce multi-factor authentication across all Microsoft 365 and Teams accounts, combined with strong Conditional Access policies that block logins from untrusted devices, unusual geographies, or non-compliant endpoints, making it far more difficult for attackers to abuse stolen credentials or device code authentication flows.
Security teams should restrict or tightly control external tenant communications in Microsoft Teams, allowing messages and calls only from trusted domains and partners, which significantly reduces the risk of employees being approached by malicious accounts impersonating IT staff.
Enterprises should limit, monitor, or disable the use of remote access tools such as QuickAssist and AnyDesk unless they are strictly required, ensuring that only authorized IT personnel can deploy or operate such utilities, and enforcing application allow-listing where possible to prevent unauthorized installations.
Companies should expand user awareness and phishing resilience training to cover collaboration platforms like Microsoft Teams, teaching employees to verify unexpected IT support requests, watch for unusual display names, and avoid installing software from unverified links shared in chat messages.
Link(s):
https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery
Threat actors are increasingly abusing Microsoft Teams as a social engineering vector, taking advantage of its widespread use and the trust users place in the platform. Instead of relying solely on phishing emails, adversaries have created or compromised Teams accounts impersonating IT support staff to deliver malicious payloads. Victims are contacted through direct chats or calls, often by accounts with names like “IT Support” or “Help Desk,” and persuaded to install remote access tools such as QuickAssist or AnyDesk. This initial access enables attackers to deploy malware, steal credentials, and establish persistence.
Recent investigations revealed the use of a PowerShell-based payload capable of credential theft, persistence, and remote code execution. The malware included evasion and protection mechanisms such as mutex enforcement to prevent multiple infections, process criticality to trigger system crashes if terminated, and scheduled tasks or registry entries for persistence. It also harvested detailed system information and used credential prompts disguised as benign system requests. Communication with attacker infrastructure was encrypted with hardcoded AES keys, linking the activity to the financially motivated groups EncryptHub and LARVA-208.
Security Officer Comments:
These groups have previously combined zero-day exploits like CVE-2025-26633 with custom malware families such as SilentPrism and DarkWisp, and they have been tied to ransomware campaigns, demonstrating diverse monetization strategies. The overlap of reused cryptographic constants across campaigns provides defenders with an opportunity to track their tooling and infrastructure. The activity highlights how attackers are weaponizing trusted enterprise platforms like Microsoft Teams to expand social engineering operations, evade detection, and deliver advanced multi-stage payloads.
Suggested Corrections:
Permiso researchers have published IOCs that can be used for detection:
https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery
Organizations should enforce multi-factor authentication across all Microsoft 365 and Teams accounts, combined with strong Conditional Access policies that block logins from untrusted devices, unusual geographies, or non-compliant endpoints, making it far more difficult for attackers to abuse stolen credentials or device code authentication flows.
Security teams should restrict or tightly control external tenant communications in Microsoft Teams, allowing messages and calls only from trusted domains and partners, which significantly reduces the risk of employees being approached by malicious accounts impersonating IT staff.
Enterprises should limit, monitor, or disable the use of remote access tools such as QuickAssist and AnyDesk unless they are strictly required, ensuring that only authorized IT personnel can deploy or operate such utilities, and enforcing application allow-listing where possible to prevent unauthorized installations.
Companies should expand user awareness and phishing resilience training to cover collaboration platforms like Microsoft Teams, teaching employees to verify unexpected IT support requests, watch for unusual display names, and avoid installing software from unverified links shared in chat messages.
Link(s):
https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery