Threat Intelligence Report: Sophisticated Microsoft Teams Impersonation Campaign Deploying Signed RATs

A highly organized phishing campaign is currently targeting users by impersonating Microsoft Teams. Rather than relying on traditional malware, this operation leverages social engineering to trick victims into downloading legitimately signed Remote Access Tools (RATs). Once executed, these tools are preconfigured with attacker-controlled relay parameters, granting unauthorized remote access to the victim’s environment.

The attack lifecycle begins with high-pressure social engineering lures. Threat actors distribute Teams-themed notifications—often disguised as urgent meeting transcripts, missed session recordings, or prompts to “download transcript”—which redirect victims to meticulously crafted landing pages. These pages mimic the look and feel of Microsoft’s collaboration suite to lower user suspicion.

While the downloads are presented as helpful utilities like transcript viewers or document converters, the underlying MSI installers silently deploy a remote administration product. According to research by CYFIRMA, the campaign is a masterclass in blending reputation abuse with resilient hosting to maximize delivery success while evading standard security perimeters.

Technical Execution and Evasion Tactics

The execution phase is designed for maximum stealth. The delivered MSI file utilizes msiexec to run, extracting its payload to temporary directories. It then invokes custom-action DLLs via rundll32 and registers a new system service configured for auto-start. To bypass automated analysis, the installer employs several sophisticated anti-analysis routines, including:

• USB Enumeration: To detect if the installer is running in a virtualized sandbox environment.
• Debugger Detection: Routines designed to identify if a researcher is monitoring the process.
• Temporal Evasion: Implementing long sleep delays to outlast the timeout windows of automated sandboxes.
• Code Obfuscation: Utilizing obfuscated custom-action modules to hide malicious logic from static scanners.

Delivery – malicious download (Source : CYFIRMA).

Persistence and Post-Exploitation

Once the initial foothold is established, the malware implements a multi-layered persistence strategy to ensure long-term access and resilience against remediation. These mechanisms include:

• Windows Service Auto-start: Ensuring the payload executes upon system boot.
• Safe Mode Persistence: Utilizing SafeBoot registry entries to maintain access even in restricted modes.
• Credential Interception: Registering credential provider DLLs and integrating with LSA authentication packages to harvest user credentials deep within the OS.
• COM Hijacking: Utilizing InprocServer32 registration to enable process injection or trigger execution via Component Object Model (COM) hijacking.

Infrastructure and Global Reach

Analysis of the attacker’s infrastructure reveals a sophisticated, dual-layered strategy. The actors utilize a combination of compromised “reputation” sites and scalable cloud services:

• Reputation Abuse: The campaign exploits compromised small-business websites (including medical practices, law firms, schools, and hotels) across the US, UK, Brazil, Mexico, Turkey, Malaysia, Tanzania, Russia, India, and Syria. These sites provide a veneer of legitimacy that helps bypass web filters.
• Scalable Delivery: Attackers leverage Cloudflare Workers and Pages alongside low-cost TLDs (such as .icu, .sbs, and .online) to deploy and rotate landing pages rapidly.

Telemetry indicates a highly active operation. Domain distribution shows a preference for .com (approximately 64%) to project authenticity, while the use of serverless and static hosting via established CDNs allows malicious traffic to blend seamlessly with benign web activity.

Domain TLD distribution (Source : CYFIRMA).

This campaign represents a significant shift in tradecraft, moving away from “noisy” malware toward the abuse of trusted services and legitimate, signed software to bypass signature-based and reputation-based defenses.

MITRE ATT&CK Mapping

Defender Note: Organizations should exercise extreme caution when encountering signed installers or links from reputable domains if they are delivered through unexpected or out-of-band channels.