Threat actors are once again exploiting the trust people place in everyday workplace tools.
A newly discovered phishing campaign is using fake Microsoft Teams notifications to trick employees into downloading a remote access tool that gives attackers full control over their systems.
The operation is carefully designed to look legitimate at every step, making it especially dangerous for organizations that rely on Teams for daily communication.
The campaign begins with a simple but convincing message. Victims receive phishing emails or messages that appear to come from Microsoft Teams, alerting them that a meeting transcript or recording is ready to download.
The urgency and familiarity built into these messages are enough to push many users into clicking without a second thought. Once they do, they land on a fake page styled to look exactly like the real Microsoft Teams interface.
Analysts at Cyfirma identified this campaign and published a detailed report shared with Cyber Security News (CSN), revealing how the threat actors built a sophisticated, far-reaching operation.
What makes this campaign stand out is not just the convincing lures but the infrastructure behind it, a combination of compromised legitimate websites and attacker-controlled cloud hosting that keeps activity under the radar.
The compromised websites belong to real businesses such as cafes, law firms, medical practices, and schools, spread across countries including the US, UK, Brazil, India, and Russia.
Using trusted domains helps the attackers bypass email filters and browser warnings that would otherwise flag suspicious links.
They also use dedicated hosting through Cloudflare Workers and Pages, along with cheap domain extensions like .icu, .sbs, and .online for quick, low-cost deployment.
Infrastructure age analysis shows this is not a short-lived effort. Roughly 56 percent of the identified infrastructure falls within the three to six month range, suggesting a major expansion phase began around March 2026.
The campaign remains actively maintained, with fresh deployments confirmed at the time of analysis.
Microsoft Teams Impersonation Campaign
Once a victim clicks the download link on the fake Teams page, they receive a signed Windows installer file. Because it is signed by a legitimate software vendor, security tools are far less likely to flag it.
The file installs a real remote monitoring and management tool, but pre-configured to connect back to attacker-controlled relay servers rather than legitimate ones.
The installer runs silently, dropping files into the user’s temp directory and invoking custom DLLs through standard Windows utilities.
It also includes tricks to avoid security researchers, such as USB device checks, debugger detection, and extended sleep delays designed to outlast automated analysis environments.
By the time anything unusual is flagged, the attacker may already have a working connection into the victim’s system.
Multi-Layered Persistence and Credential Theft
What happens after installation is where the real damage unfolds. The attackers establish multiple persistence mechanisms to ensure they keep access even if the user restarts or tries to remove the tool.
A Windows service is created with auto-start configuration, and a registry entry ensures the service survives even when the system boots into Safe Mode with Networking.
Beyond holding access, the attackers register a credential provider DLL within the Windows authentication system, allowing them to capture passwords entered at the login screen.
They also register as an LSA authentication package, granting deep access to the security subsystem for credential harvesting. These are not the moves of an opportunistic attacker but of a well-resourced group with clear long-term objectives.
Organizations should focus on behavior-based detection rather than signature checks alone. Phishing awareness training, especially around collaboration platform lures, is a strong first line of defense.
Enforcing multi-factor authentication, restricting software installation to administrators, and deploying endpoint detection tools are all important steps.
Security teams should monitor for new Windows services, changes to LSA packages, and unusual outbound connections from newly installed software. Any suspected system should undergo a full forensic review and a complete credential reset before returning to service.
