New Microsoft Teams Vishing Attack Exploits Quick Assist to Deploy Stealthy Malware

A dangerous cyber espionage campaign is currently targeting corporate organizations across the globe. Security researchers recently identified a highly coordinated Microsoft Teams vishing attack impacting the legal sector. To begin with, the Threat Response Unit (TRU) at eSentire uncovered the illicit network activity during an incident response deployment. The malicious operators combine email harassment with voice phishing tactics to breach network perimeters. Specifically, this multi-layered assault tricks corporate employees into downloading an advanced Java-based backdoor threat. Consequently, enterprise protection teams must adjust their external monitoring protocols immediately to disrupt this rising execution pipeline.

Deconstructing the Vishing Kill Chain

The initial compromise phase relies heavily on intense psychological pressure. First, the attackers target a specific corporate employee by flooding their inbox with junk text messages. This systematic overload leaves the victim frustrated and looking for immediate technical support.

According to the eSentire report, “The intrusion followed a well-established vishing kill chain: the targeted user’s mailbox was flooded with hundreds of subscription confirmation emails; an actor-controlled Microsoft Teams account posing as IT helpdesk reached out to the user offering assistance, and the user was walked through launching Quick Assist and downloading a payload from a compromised Microsoft 365 tenant.”

Subsequently, the entire execution pipeline runs with extreme speed. The threat actors rely on swift human manipulation rather than exploiting unpatched software vulnerabilities. In addition, using legitimate enterprise support platforms helps the intruders bypass conventional security filters. In fact, the analysis explicitly reveals how quickly the perimeter defense fails. The analysis notes that “From initial Teams contact to RAT execution, the attack took less than 20 minutes.” Therefore, traditional defensive log systems often fail to flag the fast-moving interaction before full system compromise occurs.

Technical Capabilities of Nimbus RAT

Once the user downloads the payload, a stealthy implant establishes a persistent footprint on the endpoint. Security defenders track this specialized Java utility as Nimbus RAT. To hide its malicious actions, the core program abuses trusted public web infrastructure for its communication loops. The published writeup outlines this sneaky communication mechanism clearly. Specifically, the researchers observe that “Nimbus RAT is a self-contained implant that uses Google Drive and Google Sheets for command-and-control (C2), helping its network traffic appear benign.”

Furthermore, the presence of this utility connects the campaign to mature cybercrime cartels. Historical indicators show that sophisticated ransomware actors frequently deploy this exact script to prepare for extortion loops. For instance, threat analysts previously tied the implant to prominent underground syndicates.

The documentation states that “TRU tracks this malware as Nimbus RAT, which Rapid7 previously documented in connection with BlackSuit affiliate activity following Black Basta’s internal conflict in early 2025.” As a result, executing a successful Microsoft Teams vishing attack serves as a vital entryway for high-impact ransomware deployments.

Post-Compromise Tools and the Signal Attachment Hunt

In addition to the primary backdoor tool, the adversaries deploy secondary utilities to expand their insight. Threat hunters discovered a separate data theft engine residing within the compromised environment. This specific framework, known as InboxSetupPro, targets local storage directories recursively. However, this utility operates independently from the main backdoor implant. The technical brief notes that the file “is distinct from Nimbus RAT and uses OneDrive rather than Google Drive for exfiltration.”

Subsequently, forensic investigators discovered that the attackers focus heavily on local messaging databases. The script explicitly targets local communication data caches to exfiltrate private corporate chats. For example, the tool extracts records from the local Signal folder path. This includes files stored under AppData/roaming/signal/attachments.noindex. Moreover, the threat group steals large offline email databases. Investigators recovered a massive 1.13 GB compressed container matching the victim’s email profile.

Ultimately, “the config file, targeting pattern, and recovered archive confirm the threat actor’s post-compromise objectives extend well beyond initial access: communications data from both encrypted and traditional email channels were specifically targeted.”

Analyzing the Scale of Global Telemetry Spikes

Meanwhile, statistical telemetry proves that this attack vector is expanding rapidly across multiple sectors. Security operation centers are logging a significant surge in unauthorized chat invitations. To understand this growth, researchers analyzed over twelve months of external messaging metadata.

The comprehensive study revealed a widespread distribution pattern. Specifically, analysts “identified 1,540 similar events targeting 172 distinct customer environments, with a sharp surge in activity between December 2025 and March 2026.” Consequently, this widespread baseline proves that the campaign is highly structured rather than random.

Strategic Mitigation Steps for Corporate Infrastructure

To conclude, enterprise network managers must implement rigid access controls to neutralize this modular threat. Organizations should restrict external communication capabilities inside corporate messaging spaces. Additionally, disabling native remote control applications like Quick Assist will prevent unauthorized helpdesk scenarios.

Security teams must also monitor unusual data transfers moving toward public cloud storage endpoints. Finally, continuous user education campaigns help employees spot automated email flooding patterns early. Implementing these collective defenses completely stops a Nimbus RAT deployment chain before lateral movement occurs.