A new campaign has been identified that abuses Microsoft Teams to deliver malware in a tech support scam, where the user is tricked into believing they need assistance to resolve a technical issue that requires them to grant access via the built-in Microsoft remote monitoring and management tool, Windows Quick Assist.
Tech support scams are a very common form of cybercrime. According to the FBI’s Internet Crime Complaint Center (IC3), 36,002 complaints were received about tech support scams in 2024, making it the 6th most commonly reported cybercrime, and the third biggest cause of losses, with more than $1.46 billion lost to the scams in 2024 alone. It should be noted that many victims fail to report these scams to the FBI, so the number of victims and the losses are likely to be substantially higher.
While the companies impersonated are highly varied, these scams typically involve contact being made with the victim, with the scammer impersonating a member of the technical support team to resolve a fictitious technical issue. To make these scams more realistic, threat actors may add a targeted individual to numerous newsletters and spam sources, and then call to help them resolve the spam problem that the threat actor has created.
One of the latest scams saw contact made via Microsoft Teams on targets in the services sector, including finance, professional, and scientific services. One common denominator was that the targeted individuals all had female-sounding names, most of whom were executive-level employees. The scam was also conducted at specific times, between 2 p.m. and 3 p.m. local time, which the threat actors perceived would be the ideal time when attention would likely be reduced and the scam was most likely to succeed.
The Teams request was accompanied by a vishing call. Over the phone, the target was convinced to run a PowerShell command that was delivered via a Microsoft Teams message, which downloaded the first-stage payload. The QuickAssist tool was used by the threat actor for remote access to ensure the deployment of PowerShell, all under the guise of resolving a fictitious technical issue.
The threat actor used QuickAssist to deliver a signed file named Team Viewer.exe to a hidden folder, with that executable likely to be undetected as it would be hidden in normal system activity. The file was used to sideload a malicious DLL called TV.dll, which was used to deliver a second-stage JavaScript-based backdoor, providing persistent access to the user’s device. Persistence was achieved by modifying Registry entries. The campaign was identified by a ReliaQuest researcher and was attributed to a tracked threat actor that uses vishing attacks to infect users with malware, often leading to a ransomware attack. One method of blocking these attacks is to configure Microsoft Teams to block external communications to prevent the initial contact, and if Windows Defender is used, to set it to the most restrictive setting to limit the use of PowerShell.
Ultimately, this scam succeeded because an end user was contacted, and social engineering techniques were used to trick them into taking the actions that the threat actor could not otherwise have performed externally. The recently published Verizon Data Breach Investigations Report revealed that 60% of data breaches involved the human element, with social engineering one of the most common ways that employees are tricked. It is not necessary for threat actors to spend countless hours trying to find zero-day vulnerabilities in software solutions when they can just contact employees and get them to provide the access they need.
As the IC3 data shows, these scams are lucrative for threat actors, and one of the reasons why they are so successful is that they tend to take place over the phone, bypassing the need to defeat anti-spam software and other technical security measures. Since legitimate remote access tools are used, the malicious activity is easy to hide within normal system activity.
Security awareness training can go a long way toward improving defenses against these types of scams. Executives were targeted in this campaign as they have higher-level privileges than other workers, but security awareness training is often less robust at the executive level. It is important to ensure that all members of the workforce,e from the CEO down, are provided with security awareness training, and for the training courses to be tailored to different roles and the specific threats that each is likely to encounter.
With the SafeTitan security awareness training platform, it is easy to create tailored training programs for different members of the workforce and the unique threats that they face, including specific programs for the CEO and executives, the HR department, and the IT team. With the SafeTitan platform, there are hundreds of training modules tailored to different aspects of cybersecurity and different threats, making it quick and easy to create and deliver highly effective training courses covering phishing and other email-based attacks, smishing, vishing, and other cyber threats.
Give the TitanHQ team a call today for more information on improving your cybersecurity defenses and security awareness training programs. All TitanHQ solutions are available on a free trial, with support provided to make sure you get the most out of your trial.