Microsoft Teams-Themed Remote Access Phishing Campaign

EXECUTIVE SUMMARY

This investigation identified an active phishing campaign leveraging Microsoft Teams-themed lures to distribute a legitimate remote access tool configured for unauthorized access. Victims are directed to convincing landing pages that impersonate collaboration and productivity services, where they are prompted to download software presented as a meeting transcript viewer, recording utility, or document-related application. The campaign combines social engineering, trusted software abuse, and resilient infrastructure to maximize victim engagement while minimizing detection.

Infrastructure analysis revealed a dual-hosting strategy consisting of compromised legitimate websites and attacker-controlled cloud-hosted infrastructure. The use of compromised business websites provides reputational legitimacy, while dedicated infrastructure enables rapid deployment and campaign scalability. The operation demonstrates active maintenance, with the majority of identified infrastructure observed within the last three to six months, indicating continued development and operational investment.

Post-execution activity establishes a persistent foothold through multiple mechanisms, including service installation, Safe Mode persistence, credential provider registration, LSA authentication package integration, and COM object registration. These capabilities provide long-term access, credential interception opportunities, and resilience against remediation efforts. Overall, the campaign reflects a mature and adaptive threat operation that relies on trusted infrastructure and legitimate software to evade traditional security controls while maintaining a global targeting capability.

CAMPAIGN METHODOLOGY

INITIAL ACCESS — PHISHING LURE

Victims receive phishing emails or messages impersonating Microsoft Teams notifications. The lure typically claims that a meeting transcript or recording is available for download. The messaging leverages urgency and familiarity to drive user interaction.

Common lure themes observed:

• “Download Transcript | Microsoft Teams”
• Meeting recording availability notifications
• Missed Teams meeting summaries

DELIVERY — MALICIOUS DOWNLOAD

The phishing link directs victims to a fraudulent landing page styled to resemble a legitimate Microsoft Teams interface. The page prompts the user to download a file, which is presented as a transcript viewer, meeting plugin, or document converter. The downloaded file is a signed installer for a legitimate remote access tool.

DUAL INFRASTRUCTURE STRATEGY — COMPROMISED + DEDICATED

Analysis reveals two distinct infrastructure categories:

COMPROMISED LEGITIMATE WEBSITES

• Small businesses: cafes, pubs, hotels, sports shops, law firms, medical practices, schools, tour companies, motor dealerships, property management firms, accounting consultancies
• Geographic distribution: Global (US, UK, Brazil, Mexico, Turkey, Malaysia, Tanzania, Russia, India, Syria)
• Compromise vector: Likely vulnerable WordPress/CMS plugins, weak credentials, or outdated software
• Value to attacker: Existing domain reputation bypasses email filters and browser warnings

DEDICATED/ATTACKER-REGISTERED INFRASTRUCTURE

• Cloudflare Workers (.workers.dev): serverless infrastructure with high availability and low detection
• Cloudflare Pages (.pages.dev): static hosting with CDN distribution and free tier abuse
• Cheap TLDs (.icu, .sbs, and .online) enable cost-effective bulk registration for short-lived campaigns.
• Patterned subdomains: Random strings with hyphen separation (e.g., “lucky-math-31fcekjwjsxnmxnm”, “curly-frost-b7f2”)
• Value to attacker: Full control, rapid deployment, no need to maintain compromise of legitimate sites

PATH-BASED LURE CATEGORIZATION — MULTI-THEME CAMPAIGN

This multi-theme approach allows the threat actor to:

• A/B test lure effectiveness across different victim personas
• Rotate themes when one becomes widely known or blocked
• Target different departments (HR = invites, Finance = proposals, Operations = documents, IT = Teams-specific)

CAMPAIGN LONGEVITY WITH ACTIVE MAINTENANCE

Age distribution analysis reveals sustained, active operation:

• <30 days: 18 entries (9%) Active, ongoing deployment
• 1-3 months: 24 entries (12%) Recent, still viable
• 3-6 months: 114 entries (56%) Peak activity period
• >6 months: 46 entries (23%) Established, Mostly inactive

The presence of recent scans confirms that the campaign is currently active. The 56% concentration in the 3–6-month range suggests a significant expansion phase beginning approximately 3 months prior to this analysis (March 2026).

Notably, older pages (5-7 months) show slightly larger average sizes (23-28 KB vs 20-22 KB for recent pages), suggesting the actor has streamlined their template over time, possibly removing unnecessary assets to reduce detection surface and improve load times.

EXECUTION — SILENT INSTALLATION

Upon execution, the installer performs a standard Windows Installer (MSI) deployment via msiexec.exe. The installation is pre-configured with attacker-controlled relay server parameters embedded in the command line and configuration overlay.

Key installation artifacts:

• MSI extracted to the user’s temp directory
• Custom action DLLs invoked via rundll32.exe
• Service installation with auto-start configuration
• Registry modifications for persistence and credential interception

The installer exhibits anti-analysis behaviors:

• USB bus enumeration checks (sandbox evasion)
• Debugger detection routines
• Long sleep delays to bypass time-limited analysis
• Code obfuscation in custom action modules

PERSISTENCE — MULTI-LAYERED FOOTHOLD

• The threat actor establishes multiple redundant persistence mechanisms:
• Windows Service: A system service is created with auto-start configuration, ensuring execution at every boot.
• Safe Mode Survival: A SafeBoot registry entry is created, allowing the service to persist even when the system is booted in Safe Mode with Networking.
• Credential Provider Registration: A custom credential provider DLL is registered in the Windows authentication subsystem. This enables the capture of user credentials entered at the logon screen.
• LSA Authentication Package: The tool registers as an LSA authentication package, providing deep integration with the Windows security subsystem and enabling credential harvesting and pass-through authentication.
• COM Object Registration: A CLSID is registered for InprocServer32, enabling COM-based activation and potential injection into other processes.

GEOGRAPHIC DISTRIBUTION — GLOBAL FOOTPRINT, LOCAL TARGETING

Domain TLD distribution reveals a global operation with concentration in traditional TLDs:

The heavy reliance on .com (64%) suggests the campaign prioritizes perceived legitimacy over geographic specificity. However, the presence of country-code TLDs indicates either:

• Compromise of local businesses in those regions
• Targeting of victims in those geographic areas with locally relevant lures
• Use of local hosting for performance/latency optimization

EXTERNAL THREAT LANDSCAPE MANAGEMENT

This campaign reflects a broader evolution in cybercriminal tradecraft, where threat actors increasingly combine trusted cloud-hosted services, compromised legitimate websites, and commercially available remote access software to reduce detection rates and extend operational longevity. The abuse of serverless and static web hosting platforms demonstrates a growing trend toward leveraging reputable infrastructure that benefits from established domain reputation, encrypted communications, and globally distributed content delivery networks. Simultaneously, the use of compromised small-business websites enables malicious content to blend with legitimate web traffic, reducing the effectiveness of traditional reputation-based security controls. These techniques align with wider industry observations of threat actors increasingly relying on trusted infrastructure rather than dedicated malicious hosting environments.

Over the next six to twelve months, the campaign is likely to continue diversifying its social engineering themes beyond Microsoft Teams notifications. As awareness and detection coverage increase around meeting transcript and recording lures, operators may expand into adjacent collaboration and productivity platforms, including cloud-based document sharing, file storage, conferencing, and workflow management services. The observed multi-theme delivery strategy suggests an emphasis on testing victim engagement across different business functions, indicating future campaigns may employ increasingly tailored lures, localized language variations, and role-specific messaging to improve infection success rates. The continued reliance on legitimate signed software and remote administration capabilities further indicates a preference for stealth, operational efficiency, and reduced malware development overhead.

From a strategic perspective, the campaign’s sustained activity over several months suggests a mature and actively maintained operation rather than a short-lived phishing effort. The observed infrastructure age distribution indicates ongoing infrastructure rotation, adaptation to defensive controls, and continuous campaign refinement. Future iterations may incorporate more sophisticated evasion mechanisms, including dynamic payload delivery, victim profiling, geolocation-based filtering, and conditional execution designed to evade automated analysis systems. As threat actors increasingly adopt trusted services and legitimate software ecosystems, organizations should prioritize behavioral detection capabilities, phishing-resistant authentication mechanisms, application control policies, and monitoring of remote access tool deployments rather than relying solely on domain reputation or static indicators of compromise.

MITRE FRAMEWORK

SIGMA RULES

title: Unsigned DLL Loaded by Windows Utility
description: |
Detects windows utilities loading an unsigned or untrusted DLL.
tags:
– attack.stealth
– attack.t1218.011
– attack.t1218.010
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith:
# Note: Add additional utilities that allow the loading of DLLs
– ‘\InstallUtil.exe’
– ‘\RegAsm.exe’
– ‘\RegSvcs.exe’
– ‘\regsvr32.exe’
– ‘\rundll32.exe’
filter_main_signed:
Signed: ‘true’
filter_main_sig_status:
SignatureStatus:
– ‘errorChaining’
– ‘errorCode_endpoint’
– ‘errorExpired’
– ‘trusted’
– ‘Valid’
filter_main_signed_null:
Signed: null
filter_main_signed_empty:
Signed:
– ”
– ‘-‘
filter_main_sig_status_null:
SignatureStatus: null
filter_main_sig_status_empty:
SignatureStatus:
– ”
– ‘-‘
filter_main_windows_installer:
Image:
– ‘C:\Windows\SysWOW64\rundll32.exe’
– ‘C:\Windows\System32\rundll32.exe’
ImageLoaded|startswith: ‘C:\Windows\Installer\’
ImageLoaded|endswith:
– ‘.tmp-\Microsoft.Deployment.WindowsInstaller.dll’
– ‘.tmp-\Avira.OE.Setup.CustomActions.dll’
filter_main_assembly:
Image|startswith:
– ‘C:\Windows\SysWOW64\’
– ‘C:\Windows\System32\’
– ‘C:\Windows\Microsoft.NET\Framework64’
Image|endswith: ‘\RegAsm.exe’
ImageLoaded|endswith: ‘.dll’
ImageLoaded|startswith: ‘C:\Windows\assembly\NativeImages’
filter_optional_klite_codec:
Image:
– ‘C:\Windows\SysWOW64\regsvr32.exe’
– ‘C:\Windows\System32\regsvr32.exe’
ImageLoaded|startswith:
– ‘C:\Program Files (x86)\K-Lite Codec Pack\’
– ‘C:\Program Files\K-Lite Codec Pack\’
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
– Unknown
level: medium
Source: Open source

CONCLUSION

The analyzed campaign represents a sophisticated phishing operation that combines effective social engineering with the abuse of legitimate software and trusted infrastructure. By leveraging familiar collaboration-platform themes and distributing signed remote access software, the threat actor reduces suspicion during both the delivery and execution phases. The campaign’s infrastructure strategy balances operational flexibility with reputation-based evasion techniques, enabling sustained activity across multiple regions and target sectors.

The presence of layered persistence mechanisms and credential interception capabilities indicates objectives extending beyond initial access, potentially supporting long-term unauthorized access, credential harvesting, and follow-on intrusion activity. Infrastructure age analysis further suggests an established operation that continues to evolve through infrastructure rotation, template refinement, and ongoing campaign maintenance.

Given the continued effectiveness of collaboration-platform phishing lures and the increasing use of legitimate software for malicious purposes, organizations should expect similar campaigns to persist and expand. Defensive efforts should prioritize user awareness, phishing-resistant authentication, behavioral monitoring, application control, and detection of unauthorized remote access tool deployments. A defense strategy focused solely on malicious file signatures or domain reputation is unlikely to provide sufficient protection against campaigns employing trusted software and reputable hosting environments.

RECOMMENDATIONS AND MITIGATIONS

To reduce the risk posed by this campaign, organizations should implement a layered defense strategy that addresses phishing, unauthorized software installation, credential theft, and persistence mechanisms. Given the campaign’s reliance on legitimate software and trusted infrastructure, security controls should focus on behavioral indicators and user activity rather than solely on traditional signature-based detection.

Email and User Awareness Controls

• Conduct regular phishing awareness training focused on collaboration-platform-themed lures, including meeting transcripts, recordings, and document-sharing notifications.
• Encourage users to verify unexpected download requests through official collaboration platforms rather than email links.
• Implement advanced email security controls to detect and block malicious URLs, suspicious attachments, and domain impersonation attempts.
• Flag or quarantine emails containing external file-sharing links or executable downloads originating from untrusted sources.

Identity and Access Security

• Enforce multi-factor authentication (MFA) across all enterprise applications, prioritizing email, remote access, and collaboration platforms.
• Deploy phishing-resistant authentication methods where feasible.
• Monitor for unusual authentication activity, including anomalous logon locations, failed authentication attempts, and unexpected account usage patterns.
• Implement conditional access policies to restrict access from untrusted devices and locations.

Endpoint Protection and Application Control

• Restrict software installation privileges to authorized administrators whenever possible.
• Implement application allowlisting to limit execution of unauthorized installers and binaries.
• Deploy endpoint detection and response (EDR) solutions capable of identifying persistence mechanisms, credential access activity, and unauthorized remote access software installations.
• Generate alerts for newly installed services, credential providers, authentication packages, and COM object registrations.

Detection and Monitoring

• Monitor for the creation or modification of Windows services configured for automatic startup.
• Alert on SafeBoot registry modifications, LSA authentication package registration, and credential provider installation events.
• Investigate unusual outbound connections from newly installed applications, particularly connections to external relay or remote access infrastructure.
• Review endpoint telemetry for evidence of anti-analysis behaviors, extended sleep delays, or sandbox-evasion techniques.
• Correlate phishing detections with endpoint installation events to identify potential successful compromises.

Network and Infrastructure Security

• Implement web filtering controls to block access to newly registered domains, suspicious hosting infrastructure, and known malicious URLs.
• Use DNS and proxy monitoring to identify connections to previously unseen domains and external remote access services.
• Segment critical systems from general user workstations to limit lateral movement opportunities.
• Maintain comprehensive logging of DNS, web proxy, authentication, and endpoint events to support rapid investigation and response.

Incident Response Preparedness

• Establish procedures for identifying and removing unauthorized remote access software from enterprise endpoints.
• Conduct regular reviews of installed services, startup entries, credential providers, and authentication packages.
• Ensure endpoint isolation capabilities are available for rapid containment of suspected compromises.
• Periodically test incident response workflows through phishing and remote-access-tool intrusion scenarios to validate detection and remediation effectiveness.

Organizations should assume that successful execution of the installer may result in persistent unauthorized access and potential credential compromise. As such, any affected systems should undergo comprehensive forensic review, credential resets for associated accounts, and validation that all persistence mechanisms have been fully removed.