Hackers Use Microsoft Teams Calls to Install RMM Tools and Deploy EtherRAT
Threat actors are abusing Microsoft Teams voice calls to impersonate corporate IT support and trick employees into installing remote access tools that lead to EtherRAT malware deployment.
The campaign starts with a phishing email carrying an “Employee Survey” lure and a malicious PDF attachment. Soon after the victim opens the file, the attacker calls through Microsoft Teams while posing as a “System Administrator.”
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
According to BleepingComputer, the attack combines phishing, Teams voice calls, legitimate remote monitoring and management tools, and a Node.js-based malware loader. The result is a high-touch social engineering chain that looks like IT support but gives attackers hands-on access to the victim’s machine.
How the Microsoft Teams attack works
The initial email sets up the interaction by making the victim believe an internal HR or IT process is underway. The Teams call then creates urgency and gives the attacker a chance to talk the employee through the next steps.
During the call, the attacker asks the victim to grant control through Microsoft Teams screen sharing. Once the victim complies, the caller guides them into installing legitimate remote access tools such as HopToDesk and AnyDesk.
The abuse of trusted support tools makes this attack harder to detect. Red Canary notes that RMM tools are legitimate utilities used by IT teams, but attackers often abuse them because they provide reliable remote control and can blend into normal administrative traffic.
| Attack stage | What happens | Why it matters |
|---|---|---|
| Phishing email | The victim receives an “Employee Survey” lure with a malicious PDF | It prepares the victim for later contact |
| Teams call | An external caller impersonates a system administrator | The attack feels like a live IT support session |
| Screen sharing | The victim grants remote control through Teams | The attacker gains interactive access |
| RMM installation | The victim installs HopToDesk or AnyDesk | The attacker keeps access beyond the Teams call |
| Malware deployment | The attacker runs a malicious MSI installer | EtherRAT is loaded on the endpoint |
EtherRAT arrives through a malicious MSI installer
After remote access is established, the attacker downloads and runs a malicious Windows Installer file named v7.msi from camorreado[.]click. The MSI functions as a loader that fetches a legitimate Node.js runtime, decrypts embedded payloads, and launches EtherRAT.
The BleepingComputer report says Unit 42 found multiple installer versions, from v1.msi through v9.msi, in an open directory on the attacker’s distribution server. That suggests the tooling was still under development when researchers analyzed the activity.
EtherRAT is a cross-platform remote access trojan written in Node.js. Once active, it can execute commands, manipulate files, steal data, and maintain persistence on compromised systems.
Why EtherRAT is harder to disrupt
EtherRAT stands out because it uses Ethereum smart contracts to retrieve its active command-and-control server. This method makes takedown and blocking efforts harder because defenders cannot rely only on one fixed server address inside the malware.
The attacker can update the infrastructure behind the scenes, while infected systems query the blockchain-based reference point for fresh connection details. That design gives the malware more resilience than a basic remote access trojan that uses a hardcoded domain.
The campaign also relies heavily on tools and workflows that employees already recognize. Red Canary’s RMM analysis warns that remote access tools can give adversaries a professional-grade administration platform, including command-line access, desktop control, and file access.
Teams warnings can help, but users may overlook them
The Teams session observed in the campaign displayed the “External unfamiliar” label, which means the caller came from outside the victim’s organization and was not explicitly trusted.
Microsoft Teams Trust Indicators explains that Teams uses labels and icons to show whether someone is external, trusted, unfamiliar, anonymous, or otherwise outside the organization. These indicators appear in places such as chats, calls, notifications, participant lists, search results, and profile cards.
The problem is that an attacker can still persuade a victim to ignore the warning. When the request appears to come from IT support, an employee may focus on solving the “issue” instead of questioning the caller’s identity.
- “External unfamiliar” should trigger extra verification before any action.
- IT support should not ask users to install remote access software through an unsolicited Teams call.
- Screen sharing should not become remote control unless the request has been verified.
- Employees should check the caller’s domain and confirm the ticket through an internal channel.
Microsoft has already warned about helpdesk impersonation
This EtherRAT campaign follows a wider pattern of attackers abusing cross-tenant Microsoft Teams communication to impersonate IT or helpdesk personnel.
The Microsoft Security Blog warned in April that threat actors were using external Teams collaboration to convince users to grant remote assistance access. Microsoft said attackers could then use legitimate tools and native administrative protocols to move laterally, expand access, and stage data for exfiltration.
Unit 42 research also shows why collaboration platforms have become attractive to attackers. The company said phishing alerts from collaboration tools represented 42% of all phishing alerts in Cortex during the first four months of 2026, up from 30% in the previous four months.
How organizations can reduce the risk
Organizations should treat unsolicited Teams support calls as a serious security risk, especially when the caller asks for screen control, remote access tools, or software installation.
Admins can reduce exposure by reviewing external access settings, limiting communication with unknown tenants, and training employees to verify helpdesk requests through a known internal channel. The Microsoft Teams documentation makes clear that trust labels exist to help users avoid oversharing with people outside the organization.
Security teams should also monitor for unexpected installation or execution of RMM tools. Alerts should become higher priority when an external Teams call, a malicious attachment, a new remote access tool, and MSI execution appear close together.
- Restrict external Teams communication to trusted domains where business needs allow it.
- Train employees to verify all unexpected IT support calls through the official helpdesk.
- Block or allowlist RMM tools such as AnyDesk and HopToDesk based on approved business use.
- Monitor for MSI files launched from user directories or temporary folders.
- Alert when Node.js appears on endpoints that do not normally use it.
- Investigate external Teams calls followed by remote access tool installation.
Indicators linked to the EtherRAT campaign
Defenders should handle indicators carefully because legitimate services can appear in the wider attack chain. The most actionable indicators are the external Teams account, the distribution domain, and the MSI installer names reported in the campaign.
The Microsoft Security Blog also recommends treating unexpected external IT helpdesk contact as suspicious and monitoring remote assistance workflows closely.
Meanwhile, Unit 42 recommends moving the burden away from users by tightening external communication settings and identity controls, since attackers count on visual familiarity and trust in collaboration tools.
| Type | Indicator | Description |
|---|---|---|
| Email or account | [email protected][.]com | External Teams account used to impersonate IT support |
| Domain | camorreado[.]click | Distribution server hosting the malicious MSI installer |
| File | v7.msi | Observed malicious installer used to load Node.js and EtherRAT |
| File group | v1.msi through v9.msi | Multiple installer versions found in an open directory |
| Tools | HopToDesk and AnyDesk | Legitimate remote access tools abused during the intrusion |
What employees should do if they receive a suspicious Teams call
Employees should not grant control, install software, or open attachments just because someone claims to be from IT. A real support process should have a ticket number, an internal contact path, and a way to confirm the person’s identity.
If a user already granted access, they should disconnect from the network, contact the security team through a trusted channel, and avoid deleting files or rebooting unless instructed. Fast reporting can help security teams preserve evidence and stop lateral movement.
The main lesson is simple: Microsoft Teams is a collaboration tool, but external communication still needs the same caution as email, phone calls, and web links. Attackers do not need to break the platform when they can convince users to trust the wrong person.
FAQ
It is a social engineering campaign where attackers impersonate IT support through Microsoft Teams calls, convince victims to install remote access tools, and then deploy the EtherRAT remote access trojan through a malicious MSI installer.
Attackers call the victim from an external Microsoft 365 tenant while pretending to be a system administrator. They use the call and screen sharing to persuade the victim to grant control and install remote access software.
Reported indicators include [email protected][.]com, camorreado[.]click, v7.msi, and related installer names from v1.msi through v9.msi. Organizations should also watch for unexpected HopToDesk or AnyDesk installations.
Organizations should restrict external Teams access where possible, train employees to verify support requests through a trusted internal channel, allowlist approved remote access tools, and monitor for external Teams contact followed by RMM installation or MSI execution.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages