Sophisticated Vishing Attack Exploits Microsoft Teams and QuickAssist to Deliver Fileless Malware

Listen to this Post

Featured Image
A new, alarming cyberattack has emerged that targets Microsoft Teams users, exploiting trust and social engineering to deploy advanced fileless malware. Threat actors are now combining multi-stage vishing campaigns with legitimate collaboration tools to bypass modern security defenses, leaving organizations vulnerable to stealthy intrusions.

The attack begins innocuously with a Teams call from an impersonated senior IT staff member, using a spoofed display name to gain credibility. Through persuasive social engineering, the victim is instructed to open QuickAssist, a legitimate remote support tool, unknowingly granting full access to their system. Within approximately ten minutes, the user is redirected to a fake verification page hosted at ciscocyber[.]com/verify.php, which delivers a disguised malicious file called “updater.exe.”

This executable is not a standard malware dropper. Researchers from Trustwave SpiderLabs and LevelBlue discovered it is a sophisticated .NET Core 8.0 wrapper containing a hidden module, “loader.dll.” The loader reaches out to the external domain jysync[.]info to download encryption keys and an encrypted payload, which is decrypted using AES-CBC combined with XOR algorithms. This code is executed directly in memory using .NET reflection, establishing a fully fileless infection chain that evades traditional endpoint detection.

Technical analysis revealed debug strings pointing to Microsoft build paths, suggesting the attackers repurposed legitimate .NET components to mask their activity. Two SHA-256 hashes, 2d751f48376c777dd76090130740cfd04693b3da12d03e94e3e6514e864410fc and 7d29bf061719dc442dc00f670768d7a52a70c029678bd67a07b17317ffbd8c69, are associated with the campaign, aiding in the identification of compromised systems. Both domains used in the attack currently return 404 errors but could be reactivated, emphasizing the ongoing risk.

This campaign highlights a growing trend where attackers blend social engineering with advanced technical manipulation, using trusted platforms and legitimate utilities to infiltrate networks. Security experts recommend disabling QuickAssist where feasible, implementing strict verification for IT communications, and monitoring outbound traffic for suspicious connections linked to known malicious domains.

What Undercode Say:

This attack exemplifies the convergence of psychological manipulation and technical sophistication in modern cybercrime. By leveraging trusted platforms like Microsoft Teams, attackers exploit the inherent trust employees place in IT communications, bypassing conventional security measures. The use of fileless malware represents a significant evolution in threat design, as memory-resident attacks leave minimal forensic evidence and evade traditional antivirus systems.

The campaign’s technical construction is particularly notable. Using a .NET Core 8.0 wrapper with embedded loader modules allows attackers to reuse legitimate software components, making detection even harder. The encryption strategy, combining AES-CBC and XOR, ensures that the payload remains unintelligible until executed, reinforcing the stealth of the operation. Additionally, executing code via .NET reflection in memory sidesteps traditional file-based detection mechanisms entirely.

From an enterprise perspective, this attack underscores the vulnerability of remote collaboration tools, which have become central to daily operations. IT teams must recognize that legitimate software can be weaponized against users, and traditional endpoint protections alone are insufficient. Effective mitigation requires a combination of user education, proactive monitoring, and strict operational protocols for remote support tools.

Another layer of concern is the dynamic infrastructure used by attackers. While the domains involved currently return errors, they can be rapidly reactivated or replaced with new infrastructure, allowing attackers to continue campaigns without interruption. This reflects a broader shift in cybercriminal strategy toward persistent, adaptable attacks that exploit both human psychology and technical complexity.

Organizations must adopt a multi-layered defense strategy. Disabling unnecessary tools, validating all IT requests, and deploying behavioral monitoring for memory-only malware are critical steps. In addition, establishing clear reporting protocols for suspicious communications can reduce the likelihood of successful social engineering.

The campaign is a wake-up call for security teams to reconsider endpoint detection frameworks. Traditional signature-based approaches are increasingly ineffective against memory-resident malware. Instead, behavioral analytics, network traffic inspection, and anomaly detection play crucial roles in identifying threats before they can fully compromise systems.

Furthermore, the incident illustrates the importance of threat intelligence sharing. By disseminating SHA-256 hashes and identifying malicious domains, organizations can rapidly detect and contain infections. Collaboration between industry and security researchers, as demonstrated by Trustwave SpiderLabs and LevelBlue, remains vital for preempting similar attacks.

Finally, this case highlights the evolving nature of vishing attacks. The blend of real-time voice communication, social engineering, and sophisticated malware delivery represents a new frontier in enterprise threats. Organizations must adapt not only technically but culturally, fostering awareness among employees that even trusted communications may be compromised.

Fact Checker Results:

✅ Malware uses Microsoft Teams and QuickAssist for initial access.
✅ Payload is fully fileless, executed in memory via .NET reflection.
❌ Both domains currently return 404, but infrastructure may be reactivated.

Prediction:

📊 We can expect an increase in memory-resident, fileless attacks targeting collaboration platforms. Enterprises relying heavily on remote communication tools will face growing pressure to enhance behavioral monitoring and endpoint verification protocols. As attackers refine social engineering tactics, integrated human-focused defenses will become as crucial as technical safeguards. Threat intelligence sharing and rapid incident response will be decisive in minimizing the impact of future vishing campaigns.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon