A new sophisticated attack campaign where cybercriminals are exploiting Microsoft Teams to deliver malware and maintain persistent access to corporate networks.
The attacks, which represent an evolution in social engineering tactics, specifically target Windows systems through a novel technique that security experts are calling a significant threat to enterprise security.
In March 2025, ReliaQuest discovered a complex attack chain involving Microsoft Teams phishing that deploys a previously unseen persistence method called TypeLib hijacking.
.png
)
The attackers pose as IT support personnel and send phishing messages to employees through Teams, exploiting the platform’s trusted status within organizations.
“The attacks kicked off with the adversary sending phishing messages to our customers’ employees via Microsoft Teams,” ReliaQuest said to Cyber Security News. “The attacker used the fraudulent Microsoft 365 tenant with the display name ‘Technical Support’ to pose as a member of IT staff”.
After establishing contact, the attackers convince victims to launch Windows’ built-in “Quick Assist” tool, enabling remote access to the victim’s system.
This approach reflects a broader trend observed throughout 2024 and early 2025, where legitimate tools are leveraged in over 60% of hands-on-keyboard incidents.
Novel Persistence Technique
What makes these attacks particularly concerning is the implementation of TypeLib hijacking, a persistence technique first theorized by security researchers but now observed in real-world attacks. This method involves manipulating the Windows Registry to redirect legitimate COM objects to malicious scripts hosted on external URLs.
“If explorer.exe calls the LoadTypeLib() function and we hijacked the necessary registry keys for the moniker, the moniker will be instantiated inside explorer.exe and its code will be executed,” explained researchers who initially discovered the technique.
This allows attackers to maintain persistent access that automatically reactivates after the system restarts.
Security experts have linked these techniques to Storm-1811, a threat group known to deploy Black Basta ransomware. However, ReliaQuest notes that the attacks show evidence of evolution or possible fragmentation among threat actors previously associated with Black Basta1.
The campaigns demonstrate precise targeting, with attacks carefully timed between 2:00 p.m. and 3:00 p.m. local time when employees may be less vigilant. Attackers specifically target executive-level employees and have shown a pattern of focusing on employees with female-sounding names.
Microsoft has acknowledged a significant increase in Teams phishing attacks since April 2024, which have led to numerous endpoint-related security incidents. The default configuration of Microsoft Teams, which permits calls and chats from external domains, has become a key vulnerability exploited by threat actors.
Cybersecurity company Sophos has observed multiple threat actors adopting similar techniques, including groups potentially connected to FIN7.
To defend against these attacks, security experts recommend implementing strict controls on external communications in Microsoft Teams, enabling multi-factor authentication, and conducting regular user awareness training. Organizations should also harden Windows systems to prevent the execution of malicious code through TypeLib hijacking.
As remote work continues to be common practice, collaboration platforms like Microsoft Teams remain prime targets for attackers looking to bypass traditional email security measures and exploit employees’ trust in enterprise communication tools.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
