Security researchers at Palo Alto Networks' Unit 42 have identified an active social engineering campaign that leverages Microsoft Teams for initial access. Threat actors are combining phishing emails with live voice calls (vishing) over Teams to manipulate employees into installing malware. The attackers impersonate IT support staff, guiding victims to install a trojanized remote management tool. This tool contains a loader that deploys EtherRAT, a remote access trojan, onto the victim's machine. This hybrid approach is highly effective as it exploits user trust in both corporate IT and familiar communication platforms like Teams, posing a significant threat to any organization utilizing Microsoft 365.
The attack unfolds in a two-step process designed to build credibility and pressure the victim:
T1566.004 - Phishing: Spearphishing Voice.T1204.002 - Malicious File).No specific Indicators of Compromise (IOCs) such as file hashes or C2 domains were provided in the source articles.
Security teams should hunt for the following patterns to detect this campaign:
Microsoft Teams Call Recordsnode.exenode.exe by non-developer users or from unusual file paths (e.g., C:\Users\<user>\Downloads\).powershell.exe -ExecutionPolicy Bypass -File ...Connections to unknown file-sharing sitesTraining users to recognize and verify unsolicited calls, even on trusted platforms like Teams, is the primary defense against this social engineering tactic.
Harden the Microsoft Teams tenant configuration to clearly flag or block calls from external, unverified tenants.
To directly counter the Microsoft Teams vishing vector, administrators must perform Application Configuration Hardening on their M365 tenant. The most effective step is to configure the Teams admin center to provide clear visual warnings for external communications. Enable the setting that displays a prominent 'External' banner on all chats, calls, and meeting invites from users outside the organization. This gives employees a critical, immediate visual cue that they are not communicating with a trusted internal colleague. For organizations that do not need to communicate with external Teams users, consider blocking such communication entirely. This hardening step disrupts the attacker's ability to seamlessly impersonate internal IT support and leverages the platform's own security features to aid user vigilance.
Detecting the EtherRAT payload requires robust Process Analysis via an EDR solution. The attack chain involves a user downloading and running a file, which then spawns a Node.js process (node.exe) to act as a loader. This is highly anomalous behavior for a typical corporate user. EDR rules should be created to alert on node.exe being executed from a user's profile directory (e.g., Downloads, AppData). Furthermore, the EDR should monitor the child processes and network connections of this node.exe instance. If it is seen making outbound connections to download further payloads or establishing a persistent C2 channel, it is a strong indicator of compromise. This behavioral detection is crucial as the initial file hash of the trojanized installer may change frequently.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.