Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Hackers Abuse Microsoft Teams to Gain Remote Access on Windows.

Published on: August 31, 2025

Share:
Hackers Abuse Microsoft Teams to Gain Remote Access on Windows.

Overview

Cybercriminals are impersonating IT support on Microsoft Teams, using fake accounts to trick employees into installing remote access tools such as QuickAssist and AnyDesk. Once granted access, attackers deploy malware via PowerShell to steal credentials and maintain persistence. The malware, like DarkGate and Matanbuchus, enables further exploitation. Employees should verify IT requests through trusted channels and avoid installing unsolicited software. Multi-factor authentication and employee awareness are crucial defenses against these attacks.

 

Impacted Users

  • Employees using Microsoft Teams for internal communications and collaboration.
  • Users with administrative privileges on Windows systems who are tricked into granting remote access.
  • Organizations using QuickAssist or AnyDesk for remote support but lack proper monitoring and verification processes.
  • Windows users who are vulnerable to PowerShell-based malware execution.
  •  

Potential Impact

  • Credential Theft: Attackers can capture sensitive login details via fake credential prompts.
  • Malware Deployment: PowerShell scripts allow attackers to deploy multifunctional malware such as DarkGate and Matanbuchus.
  • System Compromise: Once remote access is granted, attackers can perform actions like lateral movement, data exfiltration, and ransomware deployment.
  • Reputation & Financial Loss: Business downtime, loss of customer trust, and the potential for regulatory fines due to breach incidents.
  • Security Evasion: The use of legitimate platforms (Teams, QuickAssist) complicates detection by traditional security tools.
  •  

Affected Products

  • Windows Systems with PowerShell enabled.
  • Microsoft Teams
  • QuickAssist and AnyDesk (used for gaining remote access under the guise of IT support).
  •  

Indicators of Compromise (IOCs) 

  • Suspicious Display Names: “Help Desk Specialist ”, “IT SUPPORT ”, or similar names in Teams chats.
  • Unusual User Principal Names: Domains such as @cybersecurityadm.onmicrosoft[.]com, @updateteamis.onmicrosoft[.]com.
  • Malicious URLs:
    • https://audiorealteak[.]com/payload/build.ps1
    • https://cjhsbam[.]com/payload/runner.ps1
  • IP Addresses:
    • 104.21.40[.]219
    • 193.5.65[.]199
  • Suspicious User-Agent Strings: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6
     

Recommended Actions

  • Monitor Teams Traffic: Investigate external Teams communication attempts and suspicious user names (e.g., IT support impersonation).
  • Enforce Endpoint Security: Ensure endpoint detection and response (EDR) solutions are active and properly configured to detect PowerShell execution and credential theft attempts.
  • Restrict Remote Access Tools: Disable or tightly control remote access tools like QuickAssist and AnyDesk unless absolutely necessary.
  • Verify IT Support Requests: Train employees to authenticate IT support requests via alternative communication channels (e.g., internal phone lines, email).
  • Apply Security Best Practices: Use least privilege access for remote support tools and limit the number of users with administrative access to critical systems.
  • Enable MFA: Adopt stronger authentication measures like hardware-backed MFA for accessing corporate resources.
  • Educate Employees: Train staff on social engineering techniques and the importance of verifying any unexpected IT support requests.
  • Network Segmentation: Ensure that users’ access to sensitive data and systems is segmented, limiting lateral movement in the event of a breach.

 

References

https://cybersrcc.com/2025/08/07/hackers-leverage-microsoft-teams-to-spread-matanbuchus-3-0-malware…

 https://rewterz.com/threat-advisory/hackers-exploiting-microsoft-teams-and-quick-assist-for-remote-…

 https://cybersecuritynews.com/microsoft-teams-for-remote-access/

← Back to all bulletins