Attackers Impersonate IT Support on Microsoft Teams to Deploy EtherRAT
Threat actors are actively abusing Microsoft Teams voice calls to impersonate corporate IT support staff and install EtherRAT — a remote access trojan that hands attackers persistent control over compromised endpoints and a foothold inside the target network. BleepingComputer broke the details.
What Happened
The attack chain is simple and effective. Employees receive unsolicited voice calls through Microsoft Teams from accounts posing as internal IT helpdesk. The callers use social engineering scripts — claiming to investigate a security incident, resolve a performance problem, or push a critical update — and walk the target through installing EtherRAT under the guise of a legitimate support tool. Once it runs, attackers have remote access to the machine on demand.
Teams is an unusually dangerous delivery channel for this. Employees are trained to treat internal-looking communications as trustworthy, and a voice call carries more authority than email or chat alone. Unlike phishing links, there is no URL to hover over, no attachment to scrutinize. The ask feels procedurally normal until it is too late.
Why It Matters
Two risks compound here.
External guest access is enabled by default in most Teams tenants. Unless your organization has explicitly locked down who can initiate calls or chats, anyone with a Microsoft account can contact your employees directly. Attackers use this to reach targets while appearing to originate from a plausible IT persona.
EtherRAT is not a one-time harvest. It provides persistent, on-demand remote access. Attackers can return after the initial compromise to move laterally, exfiltrate data, or pre-position ransomware. Getting in through a trusted employee who voluntarily installed the tool is one of the cleanest paths to full domain compromise because it sidesteps most perimeter controls entirely.
Non-technical staff — finance, HR, marketing — are the highest-risk targets. They are least likely to challenge an authority figure from IT.
What To Do
Do these today:
- Restrict external Teams access. In the Teams Admin Center under External Access, disable or tightly scope inbound calls and chats from external Microsoft accounts. If cross-org communication is required, allowlist specific trusted domains rather than permitting all.
- Send an immediate employee notice. One paragraph is enough: IT will never cold-call over Teams and ask you to install software. Any such request should be refused and reported to security. Plain language, no jargon.
- Hunt for EtherRAT on endpoints. Search EDR or AV logs for unexpected remote-access tool installations, new scheduled tasks or services, and anomalous outbound connections — especially over the past 30 days. If EDR coverage is incomplete, start there.
- Audit your Teams external and guest user roster. Remove any unknown external accounts that hold active permissions in the tenant.
Longer term: add Teams-based vishing to your security awareness curriculum. This vector is a direct evolution of BazarCall and callback phishing campaigns from 2022–2024 — the delivery channel shifted to wherever employees now spend their working hours. It will be reused.
Synthesized by Claude · sanity-checked before publish.