Microsoft Teams Vishing Attack Leverages TeamViewer to Distribute Malware

Vishing Attack Leads to Environment Compromise at Ontinue’s Cyber Defense Centre

The Cyber Defense Centre (CDC) at Ontinue has recently examined an alarming security breach that underscores the potential dangers of vishing calls. This incident illustrates how a seemingly innocuous voice phishing attack can escalate into a comprehensive compromise of an organization’s environment. By leveraging social engineering techniques and utilizing legitimate tools such as Quick Assist and signed binaries, the attacker was able to infiltrate the system, sustain access, and evade detection.

The attack commenced with a Microsoft Teams message that appeared to originate from a legitimate external user. This communication was accompanied by a vishing call aimed at establishing rapport and persuading the victim to execute a specific PowerShell command. Following this prompt, the command initiated the download of a malicious payload, marking the beginning of a more extensive and malicious chain of events. The attacker subsequently exploited Quick Assist, a built-in Windows remote support application, to gain unauthorized remote access.

Upon breaching the system, the attacker deployed a signed binary, specifically TeamViewer.exe, into a clandestine folder. This executable was manipulated to load a dangerous dynamic link library (DLL) named TV.dll, enabling the attack to blend seamlessly with standard system operations. This sideloading technique, while not new, continues to be effective, particularly when implemented through widely trusted and signed applications.

In a blog post shared ahead of its official release, Ontinue revealed that the attacker also created a shortcut file within the startup folder, ensuring that the malware would persistently execute each time the system rebooted. To further exacerbate the situation, the attacker utilized Background Intelligent Transfer Service (BITS) jobs to transfer files discreetly, maintaining access for an extended period of up to 90 days.

The second phase of the attack involved the execution of a JavaScript-based backdoor, identified as index.js, through Node.js. This provided the attacker with full command-and-control capabilities via a socket connection, along with the ability to execute commands and use hardcoded credentials for further exploitation.

While the CDC has not definitively attributed the attack to a specific group, the tactics employed closely resemble those commonly associated with the cyber threat actor known as Storm-1811, previously identified by Microsoft. Noteworthy similarities include the exploitation of Quick Assist for remote access, the sideloading of malicious DLLs through signed binaries, and the utilization of Microsoft Teams as an entry point, along with a reliance on living-off-the-land techniques using native Windows tools.

At the core of this incident lies the effectiveness of social engineering. The initial vishing call served as the critical gateway for the attacker. According to the findings in Ontinue’s recent Threat Intelligence Report, there has been a staggering 1,633% increase in vishing attacks as of the first quarter of 2025, validating the reality of the threat.

Cybersecurity experts highlight the implications of this incident as a call to action for businesses and organizations. It is essential for defenders to monitor for unusual PowerShell commands in Teams messages, unexpected applications of Quick Assist, and the execution of signed binaries like TeamViewer.exe from atypical file paths. Additionally, indicators such as the unexpected loading of DLLs, like TV.dll, should raise immediate concerns.

This case serves as a sobering reminder that attackers do not always require sophisticated exploits or advanced malware to execute their plans. When users extend their trust to unfamiliar voices and messages, coupled with the misuse of well-known tools, significant breaches can occur, making it critical for organizations to bolster their cybersecurity awareness and defenses.

Source