Microsoft Teams Voice Calls Become a Dangerous Cyber Weapon as Attackers Deploy EtherRAT Through Fake IT Support + Video

Listen to this Post

Featured ImageIntroduction: A Trusted Workplace Tool Is Being Turned Into an Entry Point for Cybercriminals

For years, organizations have encouraged employees to trust collaboration platforms such as Microsoft Teams for communication with colleagues, managers, and IT departments. Unfortunately, cybercriminals have learned that the easiest way into a corporate network is often through trust rather than technical vulnerabilities.

Security researchers have now uncovered a sophisticated social engineering campaign where attackers impersonate corporate IT support staff through Microsoft Teams voice calls. Instead of exploiting software flaws, the attackers manipulate employees into voluntarily giving them remote access to their computers. Once that access is granted, a powerful malware family known as EtherRAT is quietly installed, giving criminals complete control over compromised systems.

The campaign demonstrates how modern cyberattacks increasingly rely on psychological manipulation combined with legitimate enterprise tools, making detection significantly more difficult for traditional security solutions.

Campaign Overview: Fake IT Support Calls Deliver EtherRAT Malware

Researchers from Palo Alto

The attack begins with a carefully crafted phishing email disguised as an “Employee Survey.” Attached to the email is a malicious PDF document designed to appear harmless enough that employees will open it without hesitation.

Shortly after interacting with the document, the victim receives a Microsoft Teams voice call from someone claiming to be a company System Administrator or IT support technician.

Although Microsoft Teams displays an “External unfamiliar” warning indicating that the caller belongs to another Microsoft 365 tenant, many users ignore or misunderstand the warning, especially when the caller speaks confidently and appears knowledgeable about corporate processes.

The attackers reportedly initiated conversations using the account:

[email protected][.]com

By pretending to resolve an urgent technical issue, the fake IT representative convinces employees to begin a remote support session.

Attack Chain: From Teams Call to Full Network Compromise

Once the employee trusts the caller, the attack quickly escalates.

The attacker asks the victim to share their screen through Microsoft Teams and eventually requests permission to remotely control the device.

After obtaining remote access, the attackers install legitimate remote management software including:

HopToDesk

AnyDesk

Because these are genuine remote administration tools frequently used by businesses, they rarely trigger antivirus software or security alerts.

With persistent remote access established, the attackers download a malicious installer named v7.msi from the domain:

camorreado[.]click

Rather than directly installing malware, this MSI functions as a sophisticated loader.

It downloads a legitimate Node.js runtime, decrypts hidden malicious components, and silently launches EtherRAT without raising immediate suspicion.

Understanding EtherRAT: A Modern Cross-Platform Remote Access Trojan

EtherRAT is a powerful Remote Access Trojan (RAT) written entirely in Node.js, making it capable of operating across multiple operating systems.

Once installed, the malware grants attackers nearly unrestricted control over the infected computer.

Its capabilities include:

Executing remote commands

Browsing and modifying files

Stealing sensitive corporate information

Maintaining long-term persistence

Downloading additional malware

Expanding access across enterprise networks

One of

Instead of relying on traditional hardcoded servers that defenders can easily block, the malware retrieves updated server information from blockchain-based smart contracts, significantly complicating takedown efforts.

Researchers also note that EtherRAT was previously associated with state-sponsored attacks exploiting the React2Shell vulnerability before becoming available to a broader range of threat actors.

Evidence Suggests the Malware Is Still Rapidly Evolving

During their investigation, Unit 42 researchers discovered an exposed directory on one of the malware distribution servers.

The directory contained multiple versions of the installer ranging from v1 through v9, suggesting active development and continuous improvements by the attackers.

This indicates the campaign is not a one-time operation but rather an evolving malware ecosystem where new features, bypass techniques, and infection methods are continuously introduced.

Such ongoing development often signals that the operators are investing substantial resources into maintaining long-term access to enterprise environments.

Microsoft Teams Is Becoming a Preferred Platform for Cybercriminals

This incident is not isolated.

Over the past year, Microsoft Teams has increasingly become one of the preferred communication platforms abused by cybercriminals.

Earlier campaigns followed nearly identical tactics.

Attackers first overwhelmed victims with phishing emails before initiating Microsoft Teams conversations while impersonating internal helpdesk personnel.

Victims were persuaded to launch Quick Assist sessions, ultimately leading to deployment of another sophisticated malware family known as A0Backdoor.

Microsoft later warned organizations that external Teams accounts were increasingly being used to impersonate IT departments, allowing attackers to conduct reconnaissance, move laterally throughout corporate networks, steal sensitive information, and deploy additional malware.

The trend highlights a significant evolution in enterprise attacks where communication platforms themselves become the initial attack vector instead of email attachments or browser exploits.

Microsoft Responds with New Security Enhancements

Recognizing the growing abuse of Microsoft Teams, Microsoft has introduced multiple defensive improvements.

External callers and external chat participants are now clearly labeled to help employees recognize potential impersonation attempts.

Additional warning messages have been integrated into Teams whenever communications originate from outside an organization’s trusted environment.

More recently, Microsoft introduced a new administrative policy that automatically places suspected third-party bots into a meeting lobby until organizers explicitly approve their entry.

These enhancements add valuable security layers, but Microsoft continues to emphasize that employee awareness remains the strongest defense against social engineering attacks.

Technology alone cannot stop an employee from voluntarily granting remote access to an attacker they mistakenly trust.

Deep Analysis

Command 1: Social Engineering Has Become More Effective Than Software Exploits

Attackers no longer need zero-day vulnerabilities when human trust delivers the same outcome. This campaign proves that convincing employees is often easier than bypassing security software.

Command 2: Legitimate Software Is Increasingly Being Weaponized

HopToDesk, AnyDesk, Microsoft Teams, and Node.js are legitimate enterprise tools. Attackers exploit their trusted reputation to blend malicious activity with normal business operations.

Command 3: Blockchain Is Emerging as Malware Infrastructure

EtherRAT’s use of Ethereum smart contracts represents a growing trend where decentralized technologies are leveraged to improve malware resilience against infrastructure takedowns.

Command 4: Identity Verification Is Becoming a Critical Security Control

Employees frequently assume that anyone contacting them through internal collaboration tools is trustworthy. Organizations must establish strict verification procedures before granting remote access.

Command 5: Security Awareness Training Must Evolve

Traditional phishing simulations are no longer enough. Companies should now train employees to recognize fraudulent voice calls, Teams impersonation, fake IT support requests, and remote-access scams.

Command 6: Detection Must Extend Beyond Malware Signatures

Since attackers rely heavily on legitimate applications, organizations need behavioral analytics capable of identifying suspicious combinations of Teams sessions, remote-control software, and unusual administrative activity.

Command 7: Continuous Monitoring Is Essential

The discovery of multiple malware versions indicates ongoing development. Defensive teams should continuously update detection rules instead of assuming today’s indicators will remain valid tomorrow.

Command 8: Zero Trust Principles Continue to Prove Their Value

Every remote session, identity, device, and privilege request should be verified regardless of where it originates. Blind trust in collaboration platforms is becoming an increasingly dangerous assumption.

What Undercode Say:

This campaign perfectly illustrates the next generation of enterprise cyberattacks. Rather than exploiting technical weaknesses, attackers exploit workplace culture. Employees are trained to cooperate with IT support, respond quickly to urgent requests, and trust familiar collaboration platforms. Cybercriminals understand this psychology exceptionally well.

The use of Microsoft Teams demonstrates that collaboration software has become as attractive to attackers as email once was. As organizations continue embracing hybrid work, attackers naturally follow users into these environments.

Even more concerning is the combination of trusted technologies throughout the attack chain. Microsoft Teams, AnyDesk, HopToDesk, Node.js, MSI installers, and Ethereum smart contracts are all legitimate technologies individually. Together, however, they create an attack sequence that easily bypasses many traditional security controls.

EtherRAT itself represents an evolution in malware architecture. Leveraging Node.js provides excellent portability across operating systems, while blockchain-based command-and-control discovery makes infrastructure disruption far more challenging. This indicates that malware developers are adopting modern software engineering practices to increase resilience and operational flexibility.

The discovery of multiple installer versions strongly suggests continuous testing and iterative development. Threat actors appear to be refining their techniques based on operational feedback, much like legitimate software companies improve products through version releases.

Organizations should also recognize that warning labels alone are insufficient. Even though Microsoft Teams identified the caller as an external account, social engineering still succeeded because users naturally prioritize the human interaction over interface warnings. Security awareness programs must therefore evolve beyond recognizing suspicious emails to include voice phishing, collaboration-platform impersonation, and remote-access manipulation.

From a defensive standpoint, security operations centers should closely monitor unusual combinations of Teams activity followed by installations of remote administration tools, MSI executions, Node.js deployments, and outbound encrypted connections. Individually these activities appear legitimate, but together they form a recognizable attack pattern.

Finally, this campaign reinforces a broader cybersecurity reality: attackers increasingly target people before targeting technology. Human trust remains one of the most valuable assets within any organization, making education, verification procedures, behavioral monitoring, and Zero Trust security models more important than ever.

✅ Confirmed: Palo Alto

✅ Confirmed: EtherRAT is a Node.js-based remote access trojan capable of executing commands, stealing data, maintaining persistence, and using Ethereum smart contracts to retrieve command-and-control information.

✅ Confirmed: Microsoft has introduced additional Teams protections, including clearer warnings for external users and policies designed to reduce abuse involving third-party participants, reflecting the increasing misuse of collaboration platforms by cybercriminals.

Prediction

(+1) Organizations will significantly strengthen verification procedures for remote IT support sessions, requiring identity validation before employees grant screen sharing or remote control access.

(-1) Threat actors will increasingly shift from email-only phishing toward voice phishing and collaboration-platform impersonation because these techniques consistently bypass traditional security awareness training and endpoint defenses.

(+1) Security vendors will expand behavioral detection capabilities that correlate Microsoft Teams activity, remote administration software execution, and abnormal system behavior to identify attacks before malware achieves persistence.

▶️ Related Video (74% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube