Hackers Abuse Microsoft Teams, Quick Assist, and Google Drive to Deploy Nimbus RAT in 20 Minutes

Hackers are abusing trusted enterprise platforms such as Microsoft Teams, Microsoft SharePoint, Windows Quick Assist, Pastebin, Google Drive, and Google Sheets to compromise systems and deploy a Java-based remote access trojan called Nimbus RAT.

In a legal-sector incident observed in April 2026, eSentire’s Threat Response Unit said attackers moved from Microsoft Teams contact to Nimbus RAT execution in under 20 minutes. The intrusion began with email bombing, moved into voice phishing, then used Windows Quick Assist for hands-on remote access.

The campaign stands out because nearly every stage used a service that many companies already trust. Microsoft Teams handled the social engineering, SharePoint hosted the payload, Pastebin staged instructions, Quick Assist gave the attacker remote control, and Google services handled malware command-and-control traffic.

How the Teams vishing attack unfolded

The attack started with a mailbox flooding phase. eSentire reported that 282 subscription and notification emails arrived in the victim’s inbox over 90 minutes. The flood created confusion and made the victim more likely to accept help from someone claiming to be IT support.

About 45 minutes before the voice phishing interaction, the victim’s inbox had already received enough noise to make normal email use difficult. The attacker then contacted the victim through Microsoft Teams while posing as an internal helpdesk employee.

Microsoft has warned that attackers abuse Teams chat, calls, meetings, and screen-sharing features at multiple points in the attack chain. This campaign follows that pattern by turning a familiar collaboration tool into the entry point for a malware deployment.

Attack stage	Platform or tool used	Purpose
Email bombing	Email subscriptions and notifications	Creates urgency and makes the fake helpdesk contact more believable
Vishing contact	Microsoft Teams	Lets the attacker impersonate internal support
Remote access	Windows Quick Assist	Gives the attacker hands-on control of the victim’s system
Instruction staging	Pastebin	Provides step-by-step commands and links during the session
Payload hosting	Microsoft SharePoint	Hosts the archive carrying Nimbus RAT
Command-and-control	Google Drive and Google Sheets	Lets malware fetch commands and upload stolen data through trusted APIs

Quick Assist gave attackers remote control

The attacker convinced the user to launch Windows Quick Assist, a legitimate Microsoft remote support tool. The victim then followed instructions delivered through a Pastebin page.

That step was critical. Once the remote support session started, the attacker could run commands, check the environment, and download the malware archive from a compromised Microsoft 365 tenant. The payload came from SharePoint, which made the download look more legitimate than a file hosted on a suspicious domain.

This method reduces the value of simple blocklists. The attacker does not need to send an obvious malware attachment, and the victim sees familiar Microsoft services throughout the process.

Nimbus RAT uses Google services for command-and-control

Nimbus RAT is a Java-based remote access trojan bundled with an OpenJDK runtime, allowing it to run even when Java is not already installed on the target system. That packaging increases the attacker’s chance of successful execution on Windows endpoints.

The malware uses Google Drive and Google Sheets for command delivery and data exfiltration. The Google Drive API allows applications to read, write, and manage files in Drive, while the Google Sheets API lets applications read and write spreadsheet data. Nimbus RAT abuses those legitimate channels to blend in with normal enterprise traffic.

Because many organizations rely on Google services, defenders cannot usually block all Google API traffic. That makes endpoint and process-level detection more important than domain-based filtering alone.

What Nimbus RAT can do on a compromised system

Nimbus RAT gives attackers a broad set of remote access features. It can execute commands, browse and modify the file system, interact with the Windows registry, capture screenshots, and load additional payloads into memory.

It also includes two credential-harvesting methods. One displays a fake Windows Security prompt through a Java Swing interface. The other calls the real CredUIPromptForCredentialsW Windows API through Java Native Access, making the prompt look more convincing.

Both methods try to collect more than one password attempt. The malware can show an error after the first entry and ask the victim to try again, increasing the chance that attackers receive a valid credential.

Nimbus RAT capability	Security impact
Command execution	Lets attackers run operating system commands
File system access	Allows data theft, file staging, and payload deployment
Registry manipulation	Can support persistence or system modification
Screenshot capture	Exposes sensitive documents, apps, and internal workflows
Credential prompts	Tricks users into entering Windows passwords
In-memory payload loading	Can reduce file-based detection opportunities

Teams abuse has become a broader problem

eSentire’s telemetry shows that this was not an isolated incident. Researchers observed 1,540 suspicious external Microsoft Teams messages across 172 customer environments over 12 months, with a sharp rise between December 2025 and March 2026.

Nearly 65 percent of those suspicious messages came from throwaway Microsoft 365 tenants using onmicrosoft.com domains. Many impersonated helpdesk, service desk, or IT support teams, which makes the approach harder for employees to challenge in real time.

eSentire also said attackers reused infrastructure patterns, including newly registered .top domains and hosting-provider source IP ranges. Those patterns can help defenders separate malicious Teams messages from legitimate external collaboration.

Similar campaigns show the same tradecraft

The Nimbus RAT case fits a wider trend of attackers using Teams for helpdesk impersonation and fast endpoint compromise. Rapid7 investigated a separate April 2026 intrusion that began with a fake IT Support Teams message and quickly escalated into malware deployment, credential theft, privilege escalation, lateral movement, and data exfiltration.

That campaign involved ModeloRAT rather than Nimbus RAT, but the early stages looked familiar. The attacker used Teams trust, support-themed messaging, and remote-control behavior to move from conversation to compromise.

The pattern matters more than the malware name. Teams vishing, email bombing, remote support abuse, and trusted cloud hosting now form a repeatable intrusion chain that can support different payloads.

Detection signals defenders should prioritize

Security teams should watch for mailbox flooding first. A sudden spike in inbound subscription emails can appear before the attacker contacts the victim through Teams. Alerting on that pattern gives defenders a chance to intervene before the user starts a remote session.

Endpoint telemetry also matters. Java execution from unusual folders, javaw.exe launching from a newly extracted archive, and outbound Google API traffic from a Java process should trigger review. The same applies when a Quick Assist session precedes command-line activity, file downloads, or credential prompts.

Organizations should also inspect Teams external message policies. Microsoft’s Teams threat guidance notes that collaboration features can be abused by both cybercriminal and state-linked actors, so companies need controls for external access, chat, calls, meetings, and screen sharing.

• Alert on sudden inbound email spikes tied to subscription bombing.
• Restrict external Teams messages from unknown or trial tenants.
• Disable or limit Quick Assist where the business does not need it.
• Monitor for java.exe or javaw.exe launching from user-writable folders.
• Correlate Quick Assist sessions with command-line activity and file downloads.
• Review Google API traffic by process, not only by destination domain.
• Train users to report unexpected IT support contact through Teams or calls.

How organizations can reduce risk

Companies should start by reducing who can contact employees through Microsoft Teams. Blocking or restricting external messages from unknown tenants can remove one of the attacker’s easiest routes into the conversation.

Administrators should also evaluate whether users need Quick Assist remote support at all. If the tool is necessary, access should be limited to approved helpdesk workflows, and sessions should be logged and reviewed.

For Google Workspace traffic, defenders should avoid treating all Google API calls as harmless. The Google Drive API documentation and Google Sheets API documentation show how normal application traffic can read and write cloud data. Malware that uses the same channels requires process-aware monitoring.

Trusted services are now part of the attack chain

The Nimbus RAT intrusion shows why defenders need more context across email, identity, endpoint, SaaS, and collaboration tools. The attacker did not rely on one suspicious domain or one malicious attachment. Instead, the operation moved through trusted services that users and companies depend on every day.

That makes behavior more important than brand names. A SharePoint file download, a Teams call, a Pastebin page, a Quick Assist session, and Google Drive traffic may each look normal in isolation. Together, they can form a complete compromise path.

Rapid7’s ModeloRAT research and the Nimbus RAT case both point to the same defensive lesson: organizations must treat collaboration abuse as an initial-access risk, not only as a user-awareness problem.

FAQ