Microsoft Teams-Themed Remote Access Phishing Campaign

MITRE Techniques

• [T1566.002 ] Phishing: Spear phishing Link – Victims receive Teams-themed phishing messages with a link to a fake download page (‘Victims receive phishing emails or messages impersonating Microsoft Teams notifications.’).
• [T1204.002 ] User Execution: Malicious File – The victim is persuaded to download and run a file presented as a transcript viewer or meeting utility (‘The page prompts the user to download a file…’).
• [T1219 ] Remote Access Tool – The payload is a legitimate remote access tool configured for unauthorized access (‘signed installer for a legitimate remote access tool’).
• [T1543.003 ] Create or Modify System Process: Windows Service – The installer creates an auto-start Windows service for persistence (‘A system service is created with auto-start configuration’).
• [T1547.002 ] Boot or Logon Autostart Execution: Authentication Package – The tool registers in the Windows authentication subsystem to persist and intercept credentials (‘it registers as an LSA authentication package’).
• [T1546.015 ] Event Triggered Execution: Component Object Model Hijacking – COM-based persistence is achieved through CLSID registration (‘A CLSID is registered for InprocServer32’).
• [T1556 ] Modify Authentication Process – Credential provider and LSA integration are used to capture logon credentials and alter authentication flow (‘enables the capture of user credentials entered at the logon screen’).
• [T1120 ] Peripheral Device Discovery – The installer checks for USB bus activity as part of sandbox evasion (‘USB bus enumeration checks’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The malware detects debuggers and performs environment checks to avoid analysis (‘Debugger detection routines’).
• [T1497.003 ] Virtualization/Sandbox Evasion: Time Based Evasion – Long sleep delays are used to bypass time-limited analysis (‘Long sleep delays to bypass time-limited analysis’).