Microsoft Teams-Themed Phishing Campaign Delivers Remote Access
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
An active phishing campaign uses Microsoft Teams-themed lures to distribute legitimate remote access tools for unauthorized access. Victims are directed to fraudulent landing pages impersonating productivity services to download malicious installers. The operation utilizes a dual infrastructure strategy involving both compromised legitimate websites and attacker-controlled cloud hosting.
Investigation
The investigation identified a multi-themed campaign leveraging social engineering to drive software downloads. Analysis revealed infrastructure consisting of compromised small-business websites and dedicated Cloudflare-hosted services. Post-execution activities include deep system integration via service installation, LSA authentication package registration, and COM object hijacking for persistent access.
Mitigation
Organizations should implement phishing-resistant MFA and application allowlisting to restrict unauthorized software installation. Security teams should monitor for unusual Windows service creations, LSA authentication package modifications, and SafeMode registry changes. User awareness training should specifically focus on verifying unexpected collaboration platform notifications.
Response
Upon detection, organizations should isolate affected endpoints to prevent further lateral movement. Conduct a forensic review to identify and remove all persistence mechanisms, including custom credential providers and COM objects. A comprehensive credential reset for all impacted user accounts is highly recommended.
"flowchart TD step_initial_access["Initial Access: T1566.002 u2013 Phishing: Spearphishing Link via impersonated Microsoft Teams notifications"] step_drive_by["T1189 u2013 Drive-by Compromise via fraudulent landing page prompting installer download"] step_user_execution["User Execution: T1204.002 u2013 Malicious File; involves system checks (T1497.001) and delay execution (T1678)"] step_execution_injection["T1055 u2013 Process Injection via COM object registration and use of Remote Access Tools (T1219)"] rules_for_execution_injection("<b>Rule Name</b>: Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)<br/><b>Rule ID</b>: eca0d706-cdb9-488b-b4e2-ef2a4692f58c") step_persistence["Persistence: T1543.003 (Windows Service), T1547.002 (Boot/Logon Autostart), and T1546.015 (COM Hijacking)"] step_credential_access["Credential Access: T1556 u2013 Modifying the Authentication Process to intercept credentials at logon"] step_initial_access –>|leads_to| step_drive_by step_drive_by –>|leads_to| step_user_execution step_user_execution –>|leads_to| step_execution_injection step_execution_injection –>|leads_to| step_persistence step_persistence –>|leads_to| step_credential_access step_execution_injection -.->|detected_by| rules_for_execution_injection "
Attack Flow
Detections
Possible Cloudflare Development Domain Abuse (via dns)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Microsoft Teams-Themed Phishing Campaign Detection [Windows Process Creation]
View
Detection of Microsoft Teams Phishing Campaign [Microsoft Windows Security Event Log]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands: The adversary delivers a Microsoft Teams-themed phishing email containing a link to a malicious
.msipackage. When the user executes the package,msiexec.exeis invoked with parameters designed to install a hidden backdoor. To achieve persistence, the installer invokesrundll32.exeto load a custom DLL that registers a new system service. The command line specifically includes the stringserviceto mimic the behavior described in the threat intelligence report, thereby triggering the detection rule. -
Regression Test Script:
# Simulation script to trigger the detection rule # Goal: Execute msiexec or rundll32 with 'service' in the command line Write-Host "[+] Starting Simulation: Triggering MSI/Rundll32 Service Detection" -ForegroundColor Cyan # Scenario 1: Trigger via msiexec.exe Write-Host "[+] Scenario 1: Executing msiexec with 'service' keyword..." -ForegroundColor Yellow Start-Process "msiexec.exe" -ArgumentList "/i C:WindowsSystem32msiexec.exe /service /quiet" -Wait # Scenario 2: Trigger via rundll32.exe Write-Host "[+] Scenario 2: Executing rundll32.exe with 'service' keyword..." -ForegroundColor Yellow Start-Process "rundll32.exe" -ArgumentList "C:WindowsSystem32user32.dll,UpdatePerUserSystemParameters service" -Wait Write-Host "[+] Simulation Complete." -ForegroundColor Green -
Cleanup Commands:
# No permanent changes were made by the simulation script as it used existing system binaries # and non-destructive arguments. No cleanup required. Write-Host "[+] Cleanup: No artifacts created." -ForegroundColor Cyan