Threats Vulnerabilities

Microsoft Teams Vishing Attack Delivers EtherRAT

Written by Gunupuru Siva Prasad | Jul 16, 2026 11:02:19 AM

Quick Answer: What’s Happening?

Attackers are abusing Microsoft Teams voice calls to impersonate IT support, persuade employees to grant remote access, and deploy EtherRAT malware through legitimate remote administration tools and a Node.js-based loader.

Organizations with external Teams communication enabled should review tenant access settings, monitor suspicious remote access activity, and train users to verify unsolicited IT support requests.

What Is the Microsoft Teams EtherRAT Attack?

The Microsoft Teams EtherRAT attack is an active social engineering campaign in which threat actors impersonate corporate IT support personnel through Microsoft Teams voice calls to gain access to corporate environments and deploy EtherRAT malware.

The attack combines phishing emails, vishing (voice phishing), legitimate remote administration tools, and a Node.js-based malware loader to establish persistent remote access on victim systems.

Organizations using Microsoft 365 and allowing external Teams communications are particularly at risk. This campaign highlights the growing trend of attackers abusing trusted collaboration platforms to bypass traditional security controls and gain initial access to enterprise networks.

Who Is Most at Risk from Teams-Based EtherRAT Attacks?

  • Security Operations Center (SOC) teams
  • IT Administrators and Helpdesk Teams
  • CISOs and Security Leadership
  • Microsoft 365 Administrators
  • Incident Response Teams
  • Organizations using Microsoft Teams with external communications enabled
  • Financial Services Organizations
  • Healthcare Providers
  • Enterprise and Managed Service Providers (MSPs)

How Does the Microsoft Teams EtherRAT Attack Work?

Attack Overview: From Phishing Email to Remote Access

Threat actors uses Microsoft Teams to mimic internal IT support staff and convince employees to grant remote access to their systems. The campaign uses a combination of phishing emails, Teams voice calls, and remote management software to deliver EtherRAT malware.

Step 1: Phishing Email Triggers the Attack

  • Victims receive a phishing email containing a malicious PDF attachment that looks like an Employee Survey.
  • Once employees click or open the attachment, victims receive an unsolicited Microsoft Teams voice call.

Step 2: Fake IT Support Call Through Microsoft Teams

  • Attackers impersonate a “System Administrator” or internal IT support representative.
  • Calls originate from external Microsoft 365 tenants and often display the “External unfamiliar” label.
  • Researchers observed the account:

helpdesk@Progressive936.onmicrosoft[.]com

  • Victims are asked to share their screens and give remote control access through Microsoft Teams.

Step 3: Remote Access Tools Are Installed

Attackers instruct users to install legitimate remote management software, including:

  1. AnyDesk
  2. HopToDesk

The use of legitimate tools helps attackers skip detection and look like normal administrative activity.

Step 4: EtherRAT Malware Is Deployed

After obtaining remote access, attackers:

  • Download and execute a malicious MSI installer (v7.msi)
  • Retrieve a legitimate Node.js runtime
  • Decrypt embedded malicious payloads
  • Deploy and launch EtherRAT on the compromised system
  • Researchers found multiple installer variants (v1.msi through v9.msi), indicating active development and ongoing operational activity.

What Tactics Are Attackers Using?

  • Microsoft Teams-based vishing
  • IT Helpdesk impersonation
  • Abuse of legitimate remote administration tools
  • MSI-based malware installation
  • js malware execution
  • Ethereum-based command-and-control discovery
  • Persistent remote access establishment

Why Does This Attack Matter?

Full System Compromise

EtherRAT gives cyber attackers control over compromised systems, including command execution, file manipulation, and persistent remote access. A successful compromise can allow adversaries to get and maintain long-term access to enterprise environments.

Data Theft and Exposure

Attackers can access sensitive business data, internal documents, credentials, and other confidential information stored on compromised endpoints. This may result in regulatory, legal, and compliance concerns. Organizations can improve visibility into suspicious remote access activity and endpoint threats through comprehensive Managed Cybersecurity Services.

Lateral Movement

Once access is established, attackers may pivot into additional systems within the environment, increasing the scope and severity of the compromise. Similar Teams-based intrusion campaigns have previously involved reconnaissance and movement across enterprise networks.

Operational Disruption

Remote access obtained through social engineering could enable attackers to deploy additional malware, disable security tools, or facilitate ransomware-related activities, resulting in business disruption and recovery costs.

Increased Detection Challenges

The use of legitimate tools such as Microsoft Teams, AnyDesk, HopToDesk, and Node.js reduces the effectiveness of traditional signature-based detection methods and may allow malicious activity to appear as normal administrative behavior.

How Should Organizations Respond?

Immediate (0–30 Days)

  1. Review Microsoft Teams external access settings and restrict unnecessary external communications.
  2. Investigate external Teams calls that claim to originate from IT support personnel.
  3. Search for unauthorized installations of AnyDesk, HopToDesk, and Node.js runtimes.
  4. Block known malicious infrastructure and related indicators where applicable.
  5. Educate users to verify unsolicited IT support requests through approved internal processes.
  6. Monitor endpoints for suspicious MSI installations and remote access tool activity.

Short-Term (1–3 Months)

  1. Implement controls governing remote administration tools.
  2. Enable enhanced Microsoft Teams monitoring and auditing.
  3. Review Microsoft Defender for Endpoint detections related to MSI execution and remote access software.
  4. Establish documented procedures for validating IT support interactions.
  5. Conduct targeted phishing and vishing awareness exercises.

Mid / Long-Term (3–12 Months)

  1. Implement application allow listing to restrict unauthorized remote administration tools.
  2. Strengthen endpoint detection and response (EDR) monitoring for abuse of trusted applications.
  3. Develop automated detections for Teams-based social engineering indicators.
  4. Expand user security awareness training to include collaboration-platform threats.
  5. Mature threat hunting capabilities around Microsoft 365, Teams, and identity-based attack vectors.

What Should Security Teams Watch Next?

  1. Increased abuse of Microsoft Teams and other collaboration platforms for initial access.
  2. Evolution of EtherRAT delivery mechanisms and infrastructure.
  3. Additional attacker-controlled Microsoft 365 tenants used for mimicking internal IT staff.
  4. Expansion of vishing-based intrusion campaigns targeting enterprise environments.
  5. Changes in Ethereum-based command-and-control techniques used by malware operators.