CP
cyberpings
FraudHIGH

Voice Phishing Attack - Microsoft Teams Support Call Compromise

MSMicrosoft Security Blog
Microsoft Teamsvoice phishingDARTidentity theft
🎯

Basically, a hacker tricked an employee into giving access through a fake support call.

Quick Summary

A Microsoft Teams support call led to a serious voice phishing attack. Multiple employees were targeted, resulting in compromised corporate devices. Learn how to strengthen your defenses against such threats.

What Happened

In a recent investigation by Microsoft’s Detection and Response Team (DART), a voice phishing attack using Microsoft Teams was uncovered. The incident began when a customer sought IT support in November 2025. A threat actor impersonated IT support, targeting multiple employees. After two failed attempts, they successfully convinced a third user to grant remote access via Quick Assist, leading to the compromise of a corporate device.

Once the attacker gained remote access, they shifted tactics. They guided the user to a malicious website where the user entered corporate credentials into a spoofed web form. This action initiated the download of malicious payloads. Among the first artifacts was a disguised Microsoft Installer (MSI) package that exploited trusted Windows mechanisms to sideload a malicious dynamic link library (DLL), establishing outbound command-and-control connections. This allowed the attacker to execute code under the guise of legitimate software.

Who's Being Targeted

The attack specifically targeted employees who were likely to respond to IT support requests. The nature of the attack relied on social engineering, exploiting the human instinct to be helpful and responsive. By impersonating trusted IT personnel, the attacker created a sense of urgency, which can easily override caution. This highlights a growing trend where threat actors leverage collaboration platforms like Microsoft Teams to gain initial access, rather than relying solely on software vulnerabilities.

Signs of Infection

Indicators of this type of attack include unusual remote access requests and prompts for corporate credentials via unexpected channels. In this case, evidence from browser history and Quick Assist artifacts revealed that the user had been directed to enter sensitive information into a fake web form. The presence of disguised MSI packages and subsequent malicious payloads indicated that the threat actor had established a foothold in the environment, enabling further exploitation.

How to Protect Yourself

To mitigate risks associated with such attacks, organizations must take proactive measures. DART recommends tightening external collaboration settings in Microsoft Teams. This includes restricting inbound communications from unmanaged accounts and implementing an allowlist model for trusted external domains. Additionally, reviewing the use of remote access tools like Quick Assist is crucial. Organizations should disable or remove unnecessary tools to limit potential attack vectors. These strategies can significantly reduce the chances of falling victim to identity-driven compromises, while still allowing employees to collaborate effectively.

By understanding the tactics used in this attack, organizations can better prepare themselves against future threats, ensuring that trust within their environments does not become a vulnerability.

🔒 Pro insight: This incident underscores the need for enhanced training on social engineering tactics, particularly within collaboration tools like Microsoft Teams.

Original article from

Microsoft Security Blog · Microsoft Incident Response

Read Full Article

Share

Related Pings

HIGHFraud

Fraud Prevention - Meta Enhances Tools Across Platforms

Meta has introduced new anti-scam tools for WhatsApp, Facebook, and Messenger. These updates aim to protect users from fraud and suspicious activity. With millions affected, it's crucial to stay vigilant against scams.

SC Media·
HIGHFraud

Fraud - AI Boosts Profits for Cybercriminals by 4.5X

AI is reshaping financial fraud, making scams more profitable and convincing. Victims range from individuals to businesses, facing severe financial losses. Law enforcement is ramping up efforts to combat this growing threat.

The Register Security·
HIGHFraud

Fraud Alert - Attackers Abuse LiveChat for Phishing

A new phishing campaign is impersonating PayPal and Amazon through LiveChat. Users are at risk of having their credit card and personal data stolen. Stay alert and verify customer support identities to protect yourself.

Dark Reading·
HIGHFraud

Phishing - Security Firm Executive Targeted in Attack

A C-level executive at Outpost24 was targeted in a sophisticated phishing attack. The attackers used advanced techniques to bypass security measures. This incident highlights the evolving threat landscape in cybersecurity.

SecurityWeek·
HIGHFraud

Fraud - Surge in Fake Shipment Tracking Scams Detected

A global surge in fake shipment tracking scams is alarming researchers. These scams exploit consumers, leading to stolen personal and financial information. Awareness and preventive measures are essential to combat this threat.

Infosecurity Magazine·
HIGHFraud

Fraud Prevention - Fingerprint Launches AI-Powered Insights

Fingerprint has launched its MCP Server, revolutionizing fraud prevention with real-time AI insights. This tool connects AI assistants to device intelligence, enhancing fraud analysis efficiency. With 99% of companies facing AI-enabled fraud losses, this innovation is crucial for timely responses.

Help Net Security·