SOC Prime Bias: High

29 Jun 2026 06:08 UTC

Microsoft Teams-Themed Phishing Campaign Delivers Remote Access

Author Photo
SOC Prime Team linkedin icon Follow
Microsoft Teams-Themed Phishing Campaign Delivers Remote Access
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

An active phishing campaign uses Microsoft Teams-themed lures to distribute legitimate remote access tools for unauthorized access. Victims are directed to fraudulent landing pages impersonating productivity services to download malicious installers. The operation utilizes a dual infrastructure strategy involving both compromised legitimate websites and attacker-controlled cloud hosting.

Investigation

The investigation identified a multi-themed campaign leveraging social engineering to drive software downloads. Analysis revealed infrastructure consisting of compromised small-business websites and dedicated Cloudflare-hosted services. Post-execution activities include deep system integration via service installation, LSA authentication package registration, and COM object hijacking for persistent access.

Mitigation

Organizations should implement phishing-resistant MFA and application allowlisting to restrict unauthorized software installation. Security teams should monitor for unusual Windows service creations, LSA authentication package modifications, and SafeMode registry changes. User awareness training should specifically focus on verifying unexpected collaboration platform notifications.

Response

Upon detection, organizations should isolate affected endpoints to prevent further lateral movement. Conduct a forensic review to identify and remove all persistence mechanisms, including custom credential providers and COM objects. A comprehensive credential reset for all impacted user accounts is highly recommended.

"flowchart TD step_initial_access["Initial Access: T1566.002 u2013 Phishing: Spearphishing Link via impersonated Microsoft Teams notifications"] step_drive_by["T1189 u2013 Drive-by Compromise via fraudulent landing page prompting installer download"] step_user_execution["User Execution: T1204.002 u2013 Malicious File; involves system checks (T1497.001) and delay execution (T1678)"] step_execution_injection["T1055 u2013 Process Injection via COM object registration and use of Remote Access Tools (T1219)"] rules_for_execution_injection("<b>Rule Name</b>: Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)<br/><b>Rule ID</b>: eca0d706-cdb9-488b-b4e2-ef2a4692f58c") step_persistence["Persistence: T1543.003 (Windows Service), T1547.002 (Boot/Logon Autostart), and T1546.015 (COM Hijacking)"] step_credential_access["Credential Access: T1556 u2013 Modifying the Authentication Process to intercept credentials at logon"] step_initial_access –>|leads_to| step_drive_by step_drive_by –>|leads_to| step_user_execution step_user_execution –>|leads_to| step_execution_injection step_execution_injection –>|leads_to| step_persistence step_persistence –>|leads_to| step_credential_access step_execution_injection -.->|detected_by| rules_for_execution_injection "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands: The adversary delivers a Microsoft Teams-themed phishing email containing a link to a malicious .msi package. When the user executes the package, msiexec.exe is invoked with parameters designed to install a hidden backdoor. To achieve persistence, the installer invokes rundll32.exe to load a custom DLL that registers a new system service. The command line specifically includes the string service to mimic the behavior described in the threat intelligence report, thereby triggering the detection rule.

  • Regression Test Script:

    # Simulation script to trigger the detection rule
    # Goal: Execute msiexec or rundll32 with 'service' in the command line
    
    Write-Host "[+] Starting Simulation: Triggering MSI/Rundll32 Service Detection" -ForegroundColor Cyan
    
    # Scenario 1: Trigger via msiexec.exe
    Write-Host "[+] Scenario 1: Executing msiexec with 'service' keyword..." -ForegroundColor Yellow
    Start-Process "msiexec.exe" -ArgumentList "/i C:WindowsSystem32msiexec.exe /service /quiet" -Wait
    
    # Scenario 2: Trigger via rundll32.exe
    Write-Host "[+] Scenario 2: Executing rundll32.exe with 'service' keyword..." -ForegroundColor Yellow
    Start-Process "rundll32.exe" -ArgumentList "C:WindowsSystem32user32.dll,UpdatePerUserSystemParameters service" -Wait
    
    Write-Host "[+] Simulation Complete." -ForegroundColor Green
  • Cleanup Commands:

    # No permanent changes were made by the simulation script as it used existing system binaries 
    # and non-destructive arguments. No cleanup required.
    Write-Host "[+] Cleanup: No artifacts created." -ForegroundColor Cyan