Hackers Hijack Microsoft Teams to Deploy Hidden Malware

Key Takeaways

• Attackers hijack real Microsoft Teams accounts to impersonate IT support staff
• The ModeloRAT malware evades detection by major endpoint security products
• Victims are tricked into running PowerShell commands disguised as diagnostic tools

Security researchers have uncovered an attack that turns Microsoft Teams into a weapon against corporate networks. Hackers are hijacking legitimate Teams accounts, posing as IT helpdesk staff, and convincing employees to install malware that slips past major antivirus products.

The scheme, documented by GBHackers, uses a combination of social engineering and technical sophistication. Some attackers create fresh Teams accounts to impersonate existing IT employees. Others use accounts compromised in previous attacks to target new victims, creating a self-perpetuating infection cycle.

How the Attack Works

The attack begins with a Teams message from someone claiming to be IT support. The impersonation is convincing because it comes from what appears to be a legitimate corporate account.

Once contact is established, the attacker directs the victim to a custom chat client. This adds a layer of perceived legitimacy. The victim believes they're using a proper support channel.

The trap springs when the attacker asks the victim to run a PowerShell command, framing it as a "diagnostic tool." The command secretly unpacks a WinPython environment that deploys ModeloRAT malware. The infection happens without obvious signs.

Why ModeloRAT Is Hard to Stop

ModeloRAT has two main functions. One component searches for and harvests data. The other establishes a connection to attacker-controlled infrastructure, enabling remote access to the compromised machine.

The malware uses multiple persistence mechanisms. GBHackers notes that it combines run-key persistence with scheduled tasks using randomly generated names. If IT teams remove only one mechanism, the malware survives through the other.

Most concerning: GBHackers reports the malware "was able to execute without detections from several major endpoint detection and response (EDR) products." Related samples showed zero antivirus hits on VirusTotal at the time of analysis.

Part of a Growing Trend

This attack fits a pattern of increasingly sophisticated social engineering campaigns. Recent examples include password-stealing Trojans delivered through fake job interviews and deepfake CEOs directing employees to install malicious "troubleshooting" software.

AI tools are making these scams more convincing. Deepfake video and voice technology lets attackers impersonate executives. Generative AI helps craft more persuasive phishing messages without the grammar errors that once served as warning signs.

What Organizations Should Do

The core defense remains identity verification. Employees should confirm IT requests through a second channel, like calling the helpdesk directly or walking over to their desk. Any request to run PowerShell commands or download files deserves extra scrutiny.

• Verify IT requests through known phone numbers or in-person contact
• Never run PowerShell commands at the request of someone you haven't independently verified
• Report suspicious Teams messages to your security team immediately
• Consider restricting external Teams communication if your organization doesn't need it

Organizations should also review their Microsoft Teams configuration. External access settings determine who can message employees from outside the organization. Tightening these controls reduces the attack surface.

Frequently Asked Questions

How do hackers get access to legitimate Microsoft Teams accounts?

Attackers typically compromise accounts through phishing, credential stuffing, or by exploiting weak passwords. Once they have one account, they use it to target others within the same organization or partner companies.

Can antivirus software detect ModeloRAT?

At the time of analysis, ModeloRAT evaded detection by several major endpoint detection products and showed zero hits on VirusTotal. This may change as security vendors update their signatures.

How can I tell if a Teams message is from real IT support?

Verify the request through a second channel. Call your IT helpdesk using a known phone number, or ask in person. Legitimate IT staff will understand and appreciate the caution.

What should I do if I already ran a suspicious PowerShell command?

Disconnect from the network immediately and report the incident to your security team. Don't try to clean up the infection yourself, as ModeloRAT uses multiple persistence mechanisms that require professional remediation.

Source: PCGamer latest