Fake Zoom and Teams Meeting Invites Deliver Malware Signed with Stolen EV Certificate

Executive Summary

Security researchers from Microsoft's Defender team have identified an ongoing phishing campaign, active since February 2026, that leverages fake Zoom and Microsoft Teams meeting invitations to compromise corporate networks. The attack is notable for its use of a stolen Extended Validation (EV) digital certificate, which is used to sign the malicious payloads. This tactic significantly increases the malware's ability to evade security software and trick users. Victims are lured into downloading what appears to be a legitimate meeting client update, which is in fact an installer for remote monitoring and management (RMM) tools like ScreenConnect and MeshAgent. The campaign's goal is to establish a persistent foothold for subsequent activities, including data theft and ransomware deployment, demonstrating a dangerous evolution in phishing TTPs.

Threat Overview

The campaign targets corporate office workers, who are accustomed to receiving meeting invitations daily. The attack flow is as follows:

1. Lure: The victim receives a phishing email with a fake Zoom or Teams meeting invitation. The email contains a blurred PDF attachment to create curiosity.
2. Redirect: Clicking a link within the PDF redirects the user to a malicious website designed to look like an official software download page (e.g., Zoom, Teams, Adobe).
3. Social Engineering: The site informs the user their meeting client is outdated and prompts them to download and run an "update."
4. Execution: The downloaded file (e.g., msteams.exe, adobereader.exe) is the malware installer. Because it is signed with a valid EV certificate from 'TrustConnect Software PTY LTD,' it may not be flagged by endpoint security and the user's operating system will show a trusted publisher prompt.
5. Payload: The installer executes encoded PowerShell commands to download and install legitimate RMM tools, which then connect back to the attacker's C2 server.

Technical Analysis

This campaign combines several effective techniques to achieve its goals:

• Phishing (T1566.001 - Spearphishing Attachment): The initial vector is a classic phishing email with a malicious attachment.
• Defense Evasion (T1553.002 - Code Signing): This is the key technique. By signing their malware with a stolen EV certificate, the attackers bypass security controls that rely on code signing as a measure of trust. The EV certificate adds an extra layer of perceived legitimacy.
• Execution (T1059.001 - PowerShell): The initial installer uses PowerShell, often with encoded commands, to download and run the next stage of the attack. This is a common Living-off-the-Land (LotL) technique.
• Ingress Tool Transfer (T1105 - Ingress Tool Transfer): The PowerShell script downloads the RMM tools from an attacker-controlled server.
• Command and Control (T1219 - Remote Access Software): The attackers use legitimate RMM software (ScreenConnect, MeshAgent) for their C2 channel. This allows them to blend in with normal administrative traffic and makes detection more difficult.

Impact Assessment

The immediate impact is the establishment of a persistent backdoor into the corporate network. With RMM access, attackers can:

• Deploy Ransomware: The foothold is often used as a staging ground for a full-blown ransomware attack.
• Steal Data: Attackers can exfiltrate sensitive files, credentials, and other business data.
• Move Laterally: The compromised machine can be used as a pivot point to move deeper into the network and compromise more critical systems like domain controllers and databases.

This incident also has a broader impact on trust in the digital certificate ecosystem. It proves that even an EV certificate, which requires a more stringent validation process, is not an infallible indicator of safety. Organizations must move beyond simple signature checking and adopt more behavior-based detection methods.

Cyber Observables for Detection

Detection & Response

• Application Control: Use application allowlisting to prevent the execution of unauthorized RMM tools. If RMM tools are used legitimately, ensure that only your organization's specific instance is allowed to run. This is an application of D3FEND's Executable Allowlisting.
• PowerShell Logging: Enable PowerShell Script Block Logging and Module Logging (Event IDs 4103 and 4104). This will record the full content of PowerShell scripts, even if they are encoded or run in memory, allowing for forensic analysis.
• EDR Monitoring: Configure your EDR to alert on the installation and execution of any RMM software. Create detection rules for parent-child process relationships, such as msiexec.exe or powershell.exe spawning an RMM agent.
• Certificate Revocation Checking: Ensure that endpoints are configured to check for certificate revocation. While not foolproof, it can sometimes prevent the execution of malware signed with a known-stolen certificate.

Mitigation

1. User Training: Train users to be suspicious of any unsolicited software update prompts, especially those that originate from an email attachment. They should only install updates from official company channels or verified vendor websites.
2. Email Security: Use an email security gateway that can scan attachments and follow links to detect malicious content before it reaches the user's inbox.
3. Block Unauthorized RMMs: Proactively block network traffic to the domains of common RMM tools that are not used by your organization. For those that are used, restrict access to your specific tenant.
4. Principle of Least Privilege: Users should not have local administrator rights on their workstations. This can prevent many malware installers from successfully executing and gaining persistence.
5. Adopt Zero Trust: This campaign is a perfect example of why a Zero Trust approach is necessary. Do not trust a file simply because it has a valid digital signature. Every process should be verified and its behavior monitored for malicious activity.