Live Social Engineering Campaign Uses Microsoft Teams Voice Calls to Deploy EtherRAT Malware

Attackers Use Fake Microsoft Teams IT Support Calls to Push EtherRAT Malware

HIGH
July 8, 2026
5m read
PhishingMalwareSecurity Operations

Related Entities

Products & Tech

Microsoft Teams Node.jsMicrosoft 365

Other

EtherRAT

Full Report

Executive Summary

Security researchers at Palo Alto Networks' Unit 42 have identified an active social engineering campaign that leverages Microsoft Teams for initial access. Threat actors are combining phishing emails with live voice calls (vishing) over Teams to manipulate employees into installing malware. The attackers impersonate IT support staff, guiding victims to install a trojanized remote management tool. This tool contains a loader that deploys EtherRAT, a remote access trojan, onto the victim's machine. This hybrid approach is highly effective as it exploits user trust in both corporate IT and familiar communication platforms like Teams, posing a significant threat to any organization utilizing Microsoft 365.


Threat Overview

  • Attack Vector: Social Engineering, Phishing, and Voice Phishing (Vishing) via Microsoft Teams.
  • Threat Actor: Unspecified.
  • Malware: EtherRAT (a remote access trojan).
  • Delivery Mechanism: A Node.js-based loader bundled with a seemingly legitimate remote management tool.
  • Target: Corporate users in organizations that use Microsoft 365 and allow external communications in Teams.

Technical Analysis

The attack unfolds in a two-step process designed to build credibility and pressure the victim:

  1. Initial Contact (Phishing): The victim receives a phishing email containing a lure, such as a PDF file disguised as an employee survey. This initial email serves to prime the target.
  2. Follow-up Call (Vishing): Shortly after, the attacker initiates a voice call to the victim using Microsoft Teams. The call originates from an external Teams tenant, but the attacker's profile is spoofed to look like an internal IT support administrator. This is a key step in T1566.004 - Phishing: Spearphishing Voice.
  3. Social Engineering and Payload Delivery: During the live call, the attacker uses social engineering techniques to convince the user they need to install a special remote management tool to complete the 'survey' or resolve a non-existent IT issue. The attacker guides the user to download and run the tool.
  4. Execution and Infection: The downloaded executable is a trojan. When run, it installs the legitimate remote management tool to maintain the guise, but it also executes a malicious Node.js loader in the background. This loader then fetches and installs the EtherRAT malware, establishing persistence and giving the attacker remote control over the compromised system (T1204.002 - Malicious File).

Impact Assessment

  • Initial Access: A successful attack provides the threat actor with a foothold inside the corporate network.
  • Data Theft: EtherRAT can be used to exfiltrate sensitive files, capture keystrokes, and steal credentials from the compromised machine.
  • Lateral Movement: The compromised endpoint can be used as a staging ground to move laterally through the network, escalating the breach to other systems and servers.
  • Ransomware Deployment: Initial access brokers often sell their access to ransomware groups, meaning a successful EtherRAT infection could be the precursor to a full-blown ransomware attack.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as file hashes or C2 domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns to detect this campaign:

Type
log_source
Value
Microsoft Teams Call Records
Description
Audit logs for a pattern of inbound calls from external tenants immediately followed by suspicious activity on the recipient's machine.
Type
process_name
Value
node.exe
Description
Monitor for the execution of node.exe by non-developer users or from unusual file paths (e.g., C:\Users\<user>\Downloads\).
Type
command_line_pattern
Value
powershell.exe -ExecutionPolicy Bypass -File ...
Description
The Node.js loader may use PowerShell to download or execute the next stage payload. Look for suspicious PowerShell commands.
Type
network_traffic_pattern
Value
Connections to unknown file-sharing sites
Description
Monitor for connections to less-common or suspicious file-hosting services where the malicious tool might be staged for download.

Detection & Response

  1. EDR Monitoring: Deploy an EDR solution to detect the malicious activity chain. An EDR should be able to flag a downloaded file spawning a Node.js process, which in turn makes a suspicious outbound network connection. This is a key application of D3FEND Process Analysis (D3-PA).
  2. Teams Tenant Hardening: Review and harden your Microsoft Teams configuration. Configure the Teams admin center to visually flag all communications (chats and calls) from external tenants with a prominent banner. Consider blocking calls from external tenants entirely if not required for business operations.
  3. Log Ingestion and Correlation: Ingest Microsoft 365 audit logs, including Teams call records, into your SIEM. Correlate this data with EDR alerts to quickly identify if a user who just received an external Teams call is now exhibiting suspicious endpoint behavior.

Mitigation

  1. User Training (D3-UT: User Training): This attack is heavily reliant on social engineering. Conduct regular security awareness training that specifically addresses vishing and impersonation attacks over modern collaboration platforms like Teams. Teach employees to be suspicious of unsolicited IT support calls and to verify requests through a separate, known communication channel (e.g., by calling the official help desk number). Reference MITRE M1017 - User Training.
  2. Application Control: Use application control technologies, such as Windows Defender Application Control or AppLocker, to restrict the execution of unauthorized software. This can prevent the trojanized remote management tool from running in the first place. Reference MITRE M1038 - Execution Prevention.
  3. Harden Teams Configuration: As mentioned in detection, configure your Teams tenant to make external communications highly visible and distinct from internal ones. This provides a crucial visual cue to the user that they are interacting with someone outside the organization's trust boundary. Reference MITRE M1054 - Software Configuration.

Timeline of Events

1
July 8, 2026
This article was published

MITRE ATT&CK Mitigations

Training users to recognize and verify unsolicited calls, even on trusted platforms like Teams, is the primary defense against this social engineering tactic.

Harden the Microsoft Teams tenant configuration to clearly flag or block calls from external, unverified tenants.

Mapped D3FEND Techniques:

Use application control to prevent users from running unauthorized executables downloaded from the internet.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

To directly counter the Microsoft Teams vishing vector, administrators must perform Application Configuration Hardening on their M365 tenant. The most effective step is to configure the Teams admin center to provide clear visual warnings for external communications. Enable the setting that displays a prominent 'External' banner on all chats, calls, and meeting invites from users outside the organization. This gives employees a critical, immediate visual cue that they are not communicating with a trusted internal colleague. For organizations that do not need to communicate with external Teams users, consider blocking such communication entirely. This hardening step disrupts the attacker's ability to seamlessly impersonate internal IT support and leverages the platform's own security features to aid user vigilance.

Detecting the EtherRAT payload requires robust Process Analysis via an EDR solution. The attack chain involves a user downloading and running a file, which then spawns a Node.js process (node.exe) to act as a loader. This is highly anomalous behavior for a typical corporate user. EDR rules should be created to alert on node.exe being executed from a user's profile directory (e.g., Downloads, AppData). Furthermore, the EDR should monitor the child processes and network connections of this node.exe instance. If it is seen making outbound connections to download further payloads or establishing a persistent C2 channel, it is a strong indicator of compromise. This behavioral detection is crucial as the initial file hash of the trojanized installer may change frequently.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Social EngineeringVishingMicrosoft TeamsEtherRATMalwarePhishingUnit 42

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.