Malicious Voice Calls on Microsoft Teams

Cybercriminals are actively exploiting Microsoft Teams' voice calling feature to deliver malware. Threat actors are impersonating corporate IT support personnel, initiating unsolicited voice calls to employees. During these calls, they employ social engineering tactics to convince unsuspecting victims that their systems require immediate attention or updates, a common tactic used to bypass security awareness training and exploit user trust.

The ultimate goal of these calls is to trick employees into downloading and executing malicious files, which are disguised as legitimate software updates or diagnostic tools. Once executed, these files install the EtherRAT malware, a potent remote access trojan capable of granting attackers extensive control over compromised systems. This attack vector is particularly concerning because it leverages a widely adopted communication platform, making it difficult for organizations to block without disrupting legitimate IT support operations.

EtherRAT itself is a sophisticated piece of malware. It is known for its ability to perform a wide range of malicious activities, including keylogging, screen capture, file exfiltration, and remote command execution. Its modular design allows attackers to adapt its capabilities to their specific objectives, making it a versatile tool for initial network compromise and subsequent lateral movement within an organization.

Screenshot of a simulated Microsoft Teams call interface with a suspicious IT support contact

The Mechanics of the Attack

The attack chain typically begins with the threat actor obtaining a list of employee phone numbers or directly using the Teams calling feature to reach out. They often spoof their caller ID to appear as a legitimate internal IT department number, further enhancing their credibility. During the call, the attacker, posing as a helpful IT technician, will claim to have detected suspicious activity on the user's machine or that a critical security update is pending installation.

To facilitate the malware deployment, the attacker will instruct the victim to visit a specific URL or open a file that has been shared via Teams chat or email, often under the guise of a remote assistance tool or a diagnostic package. These files are invariably malicious payloads containing EtherRAT. The social engineering is crucial here; the attacker builds a narrative of urgency and necessity, making the victim feel compelled to follow instructions without questioning them. The use of voice, rather than just text-based phishing, adds a layer of perceived legitimacy and immediacy that can be highly effective.

Once the user executes the downloaded file, EtherRAT silently installs itself. The malware then establishes a connection with the attacker's command-and-control (C2) server. From this point, the attackers have a persistent foothold within the corporate network. They can monitor user activity, steal sensitive data, deploy additional malware, or even pivot to other systems within the network. The initial access gained through this method is often the precursor to more significant breaches.

EtherRAT: A Versatile Threat

EtherRAT is not a new malware family, but its deployment via Microsoft Teams represents an evolution in its attack vectors. Previous campaigns have seen it distributed through phishing emails and malicious websites. Its capabilities are extensive:

  • Remote Access and Control: Allows attackers to control the infected machine as if they were physically present.
  • Information Stealing: Capable of capturing keystrokes (keylogging), taking screenshots, and accessing sensitive files.
  • Network Reconnaissance: Can map out the internal network, identifying other potential targets.
  • Payload Delivery: Serves as a dropper for other malicious software, expanding the attacker's toolkit.
  • Evasion Techniques: Often employs methods to avoid detection by antivirus software and security monitoring tools.

The effectiveness of EtherRAT lies in its flexibility and the depth of access it provides. For an attacker, gaining initial access to a corporate network through a compromised endpoint is invaluable. It bypasses many perimeter security controls and places the attacker directly inside the trusted network environment.

Mitigation and Defense Strategies

Organizations need to adapt their security strategies to counter this evolving threat. The primary defense lies in robust security awareness training that specifically addresses social engineering tactics used in voice calls and within collaboration platforms like Teams. Employees must be educated to scrutinize unsolicited IT support requests, especially those that demand immediate action or the download of files. A critical step is to verify the identity of the caller through a separate, known-good communication channel, such as calling the official IT helpdesk number from the company directory.

Technical controls also play a vital role. Implementing strict endpoint security solutions with advanced threat detection and anti-malware capabilities is essential. These solutions should be capable of identifying and blocking known EtherRAT variants and suspicious file executions. Furthermore, network monitoring tools can help detect unusual outbound connections to known malicious C2 servers. Organizations should also configure Microsoft Teams security settings to restrict external calling or implement policies that flag or block calls from unknown or suspicious sources.

The surprising detail here is the direct abuse of voice calls within a widely trusted enterprise communication tool. While phishing via email is well-documented, the shift to voice-based social engineering within platforms like Teams presents a new, insidious challenge for security teams. It exploits the inherent trust users place in internal communications and the perceived legitimacy of a direct phone call.

The Broader Implications

This attack highlights a growing trend where threat actors are leveraging mainstream communication and collaboration tools to conduct their malicious activities. Platforms like Microsoft Teams, Slack, and Zoom have become integral to modern business operations, and their widespread adoption makes them attractive targets. Attackers are adept at finding and exploiting the human element, and direct voice interaction offers a powerful means of manipulation.

For security professionals, this means re-evaluating existing security postures. Traditional defenses focused on email and web browsing may not be sufficient. Security awareness training needs to be continuous and cover a wider range of attack vectors, including voice-based social engineering and exploitation of collaboration tools. The ability to quickly identify and respond to compromised endpoints is also critical, as initial access through malware like EtherRAT can lead to significant data breaches if not contained promptly.

What nobody has addressed yet is the potential for these attacks to scale if attackers find ways to automate the initiation of these voice calls or to deploy more sophisticated AI-driven voice impersonation. The current manual approach is labor-intensive, but automation could turn this into a widespread, high-volume threat.