Hackers Hijack Microsoft Teams to Deploy Hidden Malware
Key Takeaways
- Attackers hijack real Microsoft Teams accounts to impersonate IT support staff
- The ModeloRAT malware evades detection by major endpoint security products
- Victims are tricked into running PowerShell commands disguised as diagnostic tools
Security researchers have uncovered an attack that turns Microsoft Teams into a weapon against corporate networks. Hackers are hijacking legitimate Teams accounts, posing as IT helpdesk staff, and convincing employees to install malware that slips past major antivirus products.
The scheme, documented by GBHackers, uses a combination of social engineering and technical sophistication. Some attackers create fresh Teams accounts to impersonate existing IT employees. Others use accounts compromised in previous attacks to target new victims, creating a self-perpetuating infection cycle.
How the Attack Works
The attack begins with a Teams message from someone claiming to be IT support. The impersonation is convincing because it comes from what appears to be a legitimate corporate account.
Once contact is established, the attacker directs the victim to a custom chat client. This adds a layer of perceived legitimacy. The victim believes they're using a proper support channel.
The trap springs when the attacker asks the victim to run a PowerShell command, framing it as a "diagnostic tool." The command secretly unpacks a WinPython environment that deploys ModeloRAT malware. The infection happens without obvious signs.
Why ModeloRAT Is Hard to Stop
ModeloRAT has two main functions. One component searches for and harvests data. The other establishes a connection to attacker-controlled infrastructure, enabling remote access to the compromised machine.
The malware uses multiple persistence mechanisms. GBHackers notes that it combines run-key persistence with scheduled tasks using randomly generated names. If IT teams remove only one mechanism, the malware survives through the other.
Most concerning: GBHackers reports the malware "was able to execute without detections from several major endpoint detection and response (EDR) products." Related samples showed zero antivirus hits on VirusTotal at the time of analysis.
Part of a Growing Trend
This attack fits a pattern of increasingly sophisticated social engineering campaigns. Recent examples include password-stealing Trojans delivered through fake job interviews and deepfake CEOs directing employees to install malicious "troubleshooting" software.
AI tools are making these scams more convincing. Deepfake video and voice technology lets attackers impersonate executives. Generative AI helps craft more persuasive phishing messages without the grammar errors that once served as warning signs.
Another recent attack bypassing enterprise security measures
What Organizations Should Do
The core defense remains identity verification. Employees should confirm IT requests through a second channel, like calling the helpdesk directly or walking over to their desk. Any request to run PowerShell commands or download files deserves extra scrutiny.
- Verify IT requests through known phone numbers or in-person contact
- Never run PowerShell commands at the request of someone you haven't independently verified
- Report suspicious Teams messages to your security team immediately
- Consider restricting external Teams communication if your organization doesn't need it
Organizations should also review their Microsoft Teams configuration. External access settings determine who can message employees from outside the organization. Tightening these controls reduces the attack surface.
How another organization responded to a successful breach
Logicity's Take
Frequently Asked Questions
How do hackers get access to legitimate Microsoft Teams accounts?
Attackers typically compromise accounts through phishing, credential stuffing, or by exploiting weak passwords. Once they have one account, they use it to target others within the same organization or partner companies.
Can antivirus software detect ModeloRAT?
At the time of analysis, ModeloRAT evaded detection by several major endpoint detection products and showed zero hits on VirusTotal. This may change as security vendors update their signatures.
How can I tell if a Teams message is from real IT support?
Verify the request through a second channel. Call your IT helpdesk using a known phone number, or ask in person. Legitimate IT staff will understand and appreciate the caution.
What should I do if I already ran a suspicious PowerShell command?
Disconnect from the network immediately and report the incident to your security team. Don't try to clean up the infection yourself, as ModeloRAT uses multiple persistence mechanisms that require professional remediation.
Need Help Implementing This?
Source: PCGamer latest
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
WWE WrestleMania 42 Power Rankings: The 10 Best Wrestlers Heading Into Las Vegas
With WrestleMania 42 just days away in Las Vegas, the WWE roster is stacked with talent firing on all cylinders. From Liv Morgan's Royal Rumble redemption to Oba Femi's explosive main roster debut, here's who's dominating the business right now.
Rockstar Games Hack: ShinyHunters Leak Reveals GTA Online Earns Millions Weekly, PS5 Dominates
Hackers from ShinyHunters dropped stolen Rockstar Games data showing GTA Online's massive revenue numbers, with PS5 generating over $4.4 million weekly. The good news for fans? No GTA 6 details have leaked so far.
Trump Phone T1 Redesign: New Website Reveals Gold Smartphone Still Coming at $499
Trump Mobile has completely overhauled its website, finally showing off what appears to be the final design for the T1 Phone. The gold smartphone with American flag styling keeps its $499 promotional price, though the company hints that won't last forever. Still no release date, and the 'Made in America' claims keep getting more creative.
Nvidia PC Maker Acquisition Rumors: Why Dell, HP, Lenovo Stocks Jumped Despite Official Denial
A report claimed Nvidia was negotiating to buy a major PC company, sending Dell, HP, Lenovo, and Asus stocks up 4%. Nvidia quickly denied it, but the rumor reveals just how much the GPU giant wants to expand beyond graphics cards.
Also Read
Altman's Credibility on Trial in Musk's OpenAI Lawsuit
Sam Altman spent Tuesday under oath in a California federal court, facing pointed questions about his honesty. Elon Musk's legal team is using the CEO's past statements and board conflicts to argue he should not control OpenAI's advanced AI models.
BitLocker Zero-Day Bypass Exposes Encrypted Drives via USB
A security researcher has released working proof-of-concept exploits for two unpatched Windows vulnerabilities. The more severe flaw, YellowKey, bypasses BitLocker encryption through the Windows Recovery Environment, granting full access to protected drives. Multiple independent researchers have confirmed the exploit works.
7 Reasons HD Blu-rays Beat 4K Streaming
Physical media might be fading, but HD Blu-ray discs still outperform 4K streaming in several practical ways. From consistent video quality to ownership rights, disc-based viewing solves problems that even gigabit internet cannot fix.