Hackers Exploit Microsoft Teams in Multi-Stage AI Cyberattack

Cybercriminals are getting smarter, and their latest attack leverages Microsoft Teams and remote access tools to infiltrate enterprise networks. Discovered by Ontinue researchers, this multi-stage cyberattack uses social engineering and stealthy techniques to bypass security defenses, making it a serious threat to organizations worldwide.

How cybercriminals exploit Microsoft Teams for network infiltration

According to a new report from the Ontinue Cyber Defence Centre, this sophisticated multi-stage cyberattack starts with a Microsoft Teams message delivering a malicious PowerShell payload. The attacker then gains initial access using Microsoft Quick Assist before deploying a signed TeamViewer binary along with a malicious DLL named “TV.dll.” These signed binaries help the hacker bypass endpoint detection and response (EDR) solutions, making the attack even harder to detect.

In the second stage of the attack, the hacker deploys more advanced tools to deepen system compromise. They execute a backdoor script called “index.js” using a disguised Node.js binary renamed “hcmd.exe.” This backdoor enables remote command-and-control operations via Socket.IO, which allows attackers to send system-level commands undetected.

The attacker made sure the malicious TeamViewer file would launch automatically on system reboot by creating a startup shortcut. They also exploited Windows’ Background Intelligent Transfer Service (BITS) to transfer data and stage malware for up to 90 days. To evade detection, they used advanced techniques like API hooking and process hollowing while also checking for virtual machines (VMs) and debugging tools. They use IsDebuggerPresent, IsProcessorFeaturePresent, and other functions to determine if the malware was being executed in a sandbox or under analysis.

The attacker used Windows Management Instrumentation (WMI) to scan the system and gather details about the machine and its security software. To move laterally across the network, they leveraged psexec.exe and extracted saved credentials from the web browser.

Key security recommendations

Ontinue researchers couldn’t pinpoint the hacking group behind these multi-stage cyberattacks. However, they noticed similarities to Storm-1811, a threat actor previously identified by Microsoft. This group is known for exploiting Microsoft Teams and Quick Assist in social engineering attacks.

“This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,” Ontinue researchers explained.

Enterprise admins are strongly advised to take full responsibility for securing both employees and data within their organizations. They should implement machine learning-based tools to analyze user behavior and identify any unusual activity. Moreover, regular cybersecurity training is recommended to help employees detect and respond effectively to vishing attacks.