Microsoft Teams Phishing Campaign Uses RMM Abuse for Unauthorized Access

A Microsoft Teams-themed phishing campaign is tricking employees into installing a legitimate remote access tool that attackers configure for unauthorized control.

The campaign, detailed in CYFIRMA research, uses fake Teams transcript and meeting-recording notifications to push victims toward fraudulent download pages.

The attack does not depend on a Teams vulnerability. It relies on social engineering, trusted-looking web infrastructure, signed software, and remote access tooling that can blend into normal IT activity.

How the Microsoft Teams phishing lure works

Victims receive emails or messages that appear to come from Microsoft Teams. The lure usually claims that a meeting transcript, missed meeting summary, or recording is ready to download.

After clicking, the user lands on a fake page styled like a Teams interface. The page prompts them to download software presented as a transcript viewer, meeting plugin, or document-related application.

Once executed, the installer deploys a legitimate remote access tool with attacker-controlled relay or connection settings. This gives the operators a path into the victim’s system without using custom malware in the first stage.

Attack stage	What happens	Why it works
Initial lure	Fake Teams transcript or recording notification	Employees expect Teams messages in daily work
Landing page	Fraudulent Teams-style download page	The branding lowers user suspicion
Payload	Signed remote access installer	Legitimate software can bypass simple file reputation checks
Persistence	Service, Safe Mode, credential provider, and LSA changes	The attacker keeps access after reboot or partial cleanup

Compromised websites make the campaign harder to block

The attackers use a dual infrastructure strategy. Some links pass through compromised legitimate websites, while others use attacker-controlled cloud-hosted infrastructure.

CYFIRMA observed compromised sites belonging to small businesses, schools, law firms, medical practices, hotels, sports shops, and other organizations across multiple countries.

The attackers also used Cloudflare Workers, Cloudflare Pages, and low-cost top-level domains such as .icu, .sbs, and .online. This setup lets them rotate infrastructure quickly while benefiting from trusted hosting services.

• Common lure themes include meeting transcripts, meeting recordings, and missed meeting summaries.
• Compromised sites help malicious links inherit legitimate domain reputation.
• Cloud-hosted pages help attackers deploy and replace phishing pages quickly.
• Infrastructure age analysis showed most entries were three to six months old.

Signed remote access tools reduce suspicion

The downloaded file is a signed Windows installer for legitimate remote access software. That makes the attack harder to catch with security controls that focus mostly on unsigned binaries or known malware hashes.

Microsoft described a similar pattern in its signed RMM malware research, where workplace-themed phishing delivered remote monitoring and management tools through trusted-looking signed executables.

In the Teams-themed campaign, the installer runs through Windows Installer and drops files into the user’s temporary directory. Custom action DLLs are then invoked through standard Windows utilities such as rundll32.exe.

The campaign adds several persistence layers

After installation, the remote access setup creates a Windows service configured to start automatically. That helps the tool come back after reboot.

The attackers also add Safe Mode persistence, which allows the service to survive when Windows starts in Safe Mode with Networking. This matters because administrators sometimes use Safe Mode during cleanup.

The campaign also registers a credential provider DLL and an LSA authentication package. MITRE ATT&CK documents authentication package abuse as a persistence technique where DLLs load through the Local Security Authority during system startup.

Persistence method	Purpose	What defenders should check
Windows service	Runs the tool after reboot	New auto-start services after a phishing click
SafeBoot registry entry	Keeps access during Safe Mode with Networking	Unexpected SafeBoot service entries
Credential provider DLL	Can intercept credentials at logon	New credential provider registrations
LSA authentication package	Loads into the Windows authentication subsystem	Changes to LSA Authentication Packages registry values
COM object registration	Supports activation through COM mechanisms	New CLSID and InprocServer32 entries

Credential theft turns remote access into deeper compromise

The credential provider registration is especially serious because it can expose passwords entered at the Windows logon screen. The LSA authentication package change also gives the attacker deeper access to Windows authentication flows.

Elastic’s LSA authentication package detection rule notes that adversaries can abuse this autostart mechanism by adding a binary reference to the registry, causing the binary to execute as SYSTEM when authentication packages load.

That means the campaign is not just about remote screen control. It creates conditions for credential interception, persistent access, and possible follow-on intrusion activity.

Teams abuse fits a wider intrusion trend

Microsoft Teams has become a valuable social engineering channel because employees already trust it for meetings, chats, files, and support requests.

Microsoft has also warned about cross-tenant helpdesk impersonation, where attackers contact users through Teams while pretending to be IT support and then persuade them to grant remote assistance access.

These campaigns vary in exact delivery method, but the pattern is consistent. Attackers use trusted collaboration workflows to make a dangerous action feel routine.

Anti-analysis features slow security review

CYFIRMA said the installer includes anti-analysis behavior. These checks can include USB bus enumeration, debugger detection, long sleep delays, and obfuscated custom action modules.

Such techniques can help the payload avoid automated sandboxes. If a sandbox does not look like a real user system or stops analysis too quickly, the installer may delay or alter suspicious behavior.

The same CYFIRMA report said the campaign remains actively maintained, with recent scans showing continued deployment and infrastructure rotation.

What security teams should monitor

Defenders should focus on behavior, not only signatures. A legitimate remote access installer can still become malicious when it connects to attacker-controlled infrastructure.

Teams and email detections should be correlated with endpoint events. A user clicking a Teams transcript lure followed by MSI execution, rundll32 activity, service creation, and outbound remote access traffic should trigger immediate review.

Microsoft’s RMM backdoor guidance also recommends watching for trusted software used in unusual ways, especially when deployment follows phishing and installs tools such as remote management clients.

1. Block or review newly registered domains and suspicious Cloudflare-hosted phishing pages.
2. Restrict software installation rights to administrators or managed deployment systems.
3. Alert on new auto-start Windows services created from user temp paths.
4. Monitor for rundll32.exe loading installer-related custom action DLLs.
5. Review SafeBoot registry modifications on user workstations.
6. Hunt for new credential provider and LSA authentication package registrations.
7. Investigate remote access tools that connect to unfamiliar relay servers.

How organizations can reduce risk

Phishing awareness remains important, but training alone is not enough. The lures mimic normal business workflows, so technical guardrails must reduce the chance that one click becomes persistent access.

Organizations should use phishing-resistant MFA, conditional access, application allowlisting, endpoint detection, and software installation controls. They should also require users to verify transcript or recording downloads inside the real Teams app rather than through email links.

The Microsoft Teams impersonation playbook highlights how attackers can use legitimate remote support and RMM tools after social engineering succeeds. This makes policy enforcement around remote assistance and external collaboration critical.

Incident response steps after suspected infection

Any machine that ran the installer should be treated as potentially compromised. Removing the visible remote access tool may not remove the service, Safe Mode entry, credential provider, LSA package, or COM registration.

Security teams should isolate the device, collect forensic evidence, remove unauthorized remote access software, and reset credentials for the affected user. Accounts with administrative privileges require extra review.

Elastic’s investigation guidance recommends checking the registry change, identifying the referenced binary, reviewing the user account involved, and correlating the change with nearby suspicious activity. MITRE’s T1547.002 entry reinforces why authentication package changes deserve urgent triage.

FAQ