Threat actors are abusing Microsoft Teams voice calls and phishing emails to impersonate IT support staff and trick employees into installing EtherRAT malware. The campaign uses legitimate remote tools, a Node.js-based loader, and Ethereum smart contracts for command-and-control, while also highlighting Microsoft’s added protections against these Teams abuse tactics. #MicrosoftTeams #EtherRAT #Unit42 #A0Backdoor #React2Shell
Keypoints
- Attackers begin with an “Employee Survey” phishing email and a malicious PDF.
- Victims receive a Microsoft Teams call from an external account posing as a system administrator.
- Attackers persuade users to enable remote control and install HopToDesk or AnyDesk.
- A malicious MSI file downloads Node.js and launches EtherRAT on the victim machine.
- Microsoft is adding warnings and lobby controls to block suspicious external Teams activity.