Hackers Hijack Microsoft Teams to Deploy Hidden Malware
Key Takeaways
- Attackers hijack real Microsoft Teams accounts to impersonate IT support staff
- The ModeloRAT malware evades detection by major endpoint security products
- Victims are tricked into running PowerShell commands disguised as diagnostic tools
Security researchers have uncovered an attack that turns Microsoft Teams into a weapon against corporate networks. Hackers are hijacking legitimate Teams accounts, posing as IT helpdesk staff, and convincing employees to install malware that slips past major antivirus products.
The scheme, documented by GBHackers, uses a combination of social engineering and technical sophistication. Some attackers create fresh Teams accounts to impersonate existing IT employees. Others use accounts compromised in previous attacks to target new victims, creating a self-perpetuating infection cycle.
How the Attack Works
The attack begins with a Teams message from someone claiming to be IT support. The impersonation is convincing because it comes from what appears to be a legitimate corporate account.
Once contact is established, the attacker directs the victim to a custom chat client. This adds a layer of perceived legitimacy. The victim believes they're using a proper support channel.
The trap springs when the attacker asks the victim to run a PowerShell command, framing it as a "diagnostic tool." The command secretly unpacks a WinPython environment that deploys ModeloRAT malware. The infection happens without obvious signs.
Why ModeloRAT Is Hard to Stop
ModeloRAT has two main functions. One component searches for and harvests data. The other establishes a connection to attacker-controlled infrastructure, enabling remote access to the compromised machine.
The malware uses multiple persistence mechanisms. GBHackers notes that it combines run-key persistence with scheduled tasks using randomly generated names. If IT teams remove only one mechanism, the malware survives through the other.
Most concerning: GBHackers reports the malware "was able to execute without detections from several major endpoint detection and response (EDR) products." Related samples showed zero antivirus hits on VirusTotal at the time of analysis.
Part of a Growing Trend
This attack fits a pattern of increasingly sophisticated social engineering campaigns. Recent examples include password-stealing Trojans delivered through fake job interviews and deepfake CEOs directing employees to install malicious "troubleshooting" software.
AI tools are making these scams more convincing. Deepfake video and voice technology lets attackers impersonate executives. Generative AI helps craft more persuasive phishing messages without the grammar errors that once served as warning signs.
Another recent attack bypassing enterprise security measures
What Organizations Should Do
The core defense remains identity verification. Employees should confirm IT requests through a second channel, like calling the helpdesk directly or walking over to their desk. Any request to run PowerShell commands or download files deserves extra scrutiny.
- Verify IT requests through known phone numbers or in-person contact
- Never run PowerShell commands at the request of someone you haven't independently verified
- Report suspicious Teams messages to your security team immediately
- Consider restricting external Teams communication if your organization doesn't need it
Organizations should also review their Microsoft Teams configuration. External access settings determine who can message employees from outside the organization. Tightening these controls reduces the attack surface.
How another organization responded to a successful breach
Logicity's Take
Frequently Asked Questions
How do hackers get access to legitimate Microsoft Teams accounts?
Attackers typically compromise accounts through phishing, credential stuffing, or by exploiting weak passwords. Once they have one account, they use it to target others within the same organization or partner companies.
Can antivirus software detect ModeloRAT?
At the time of analysis, ModeloRAT evaded detection by several major endpoint detection products and showed zero hits on VirusTotal. This may change as security vendors update their signatures.
How can I tell if a Teams message is from real IT support?
Verify the request through a second channel. Call your IT helpdesk using a known phone number, or ask in person. Legitimate IT staff will understand and appreciate the caution.
What should I do if I already ran a suspicious PowerShell command?
Disconnect from the network immediately and report the incident to your security team. Don't try to clean up the infection yourself, as ModeloRAT uses multiple persistence mechanisms that require professional remediation.
Need Help Implementing This?
Source: PCGamer latest
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
WWE WrestleMania 42 Power Rankings: The 10 Best Wrestlers Heading Into Las Vegas
With WrestleMania 42 just days away in Las Vegas, the WWE roster is stacked with talent firing on all cylinders. From Liv Morgan's Royal Rumble redemption to Oba Femi's explosive main roster debut, here's who's dominating the business right now.
Rockstar Games Hack: ShinyHunters Leak Reveals GTA Online Earns Millions Weekly, PS5 Dominates
Hackers from ShinyHunters dropped stolen Rockstar Games data showing GTA Online's massive revenue numbers, with PS5 generating over $4.4 million weekly. The good news for fans? No GTA 6 details have leaked so far.
Trump Phone T1 Redesign: New Website Reveals Gold Smartphone Still Coming at $499
Trump Mobile has completely overhauled its website, finally showing off what appears to be the final design for the T1 Phone. The gold smartphone with American flag styling keeps its $499 promotional price, though the company hints that won't last forever. Still no release date, and the 'Made in America' claims keep getting more creative.
Nvidia PC Maker Acquisition Rumors: Why Dell, HP, Lenovo Stocks Jumped Despite Official Denial
A report claimed Nvidia was negotiating to buy a major PC company, sending Dell, HP, Lenovo, and Asus stocks up 4%. Nvidia quickly denied it, but the rumor reveals just how much the GPU giant wants to expand beyond graphics cards.
Also Read
Claude vs ChatGPT: Which AI Refuses Fewer Legitimate Requests?
A tech journalist tested both AI assistants on the same edge-case prompts. Claude completed tasks that ChatGPT refused, revealing a growing gap in how each model balances safety with usefulness.
Star Citizen Alpha 4.8.1 Adds 385 Missions, Breaks Escort AI
Cloud Imperium Games shipped 385 new asteroid defence missions in Star Citizen's latest alpha patch. Players are reporting that escort targets fly into closed hangar doors and explode, failing missions before they can be completed.
Navidrome: A Self-Hosted Spotify Alternative That Actually Works
An open-source music server running on hardware as modest as a Raspberry Pi Zero can replace your Spotify subscription. Navidrome uses just 48MB of RAM at idle and connects to dozens of client apps through the Subsonic API.