Microsoft Teams Quick Assist A0Backdoor phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Microsoft Teams phishing campaign is tricking employees at financial and healthcare organizations into starting Quick Assist remote sessions, creating an immediate path to remote access and malware delivery. The operation uses spam flooding and IT impersonation to build trust, then deploys A0Backdoor through signed installers and DLL sideloading. It also hides command-and-control in DNS MX traffic, making the activity harder to detect.
Related Happenings
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Snow malware suite deployment by UNC6692
Malware Activity
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Microsoft Teams remote assistance abuse mitigation
Advisory/Mitigation
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
**Microsoft** issued mitigation guidance to curb **Teams-adjacent remote assistance abuse**, warning that external contacts should be treated as untrusted and that **remote assist...
Microsoft Teams remote assistance abuse mitigation
Advisory/MitigationAbout this happening: **Microsoft** issued mitigation guidance to curb **Teams-adjacent remote assistance abuse**, warning that external contacts should be treated as untrusted and that **remote assist...
Timeline
-
09.03.2026 02:00 2 articles · 2mo ago
Microsoft Teams Quick Assist phishing campaign disclosed
Initial DisclosureBlueVoyant disclosed a phishing campaign targeting employees at financial and healthcare organizations by flooding inboxes with spam, then using Microsoft Teams impersonation and Quick Assist remote-session abuse to gain access and deploy A0Backdoor. The reported delivery chain uses digitally signed MSI installers, DLL sideloading through hostfxr.dll, in-memory decryption into shellcode, and DNS MX-based command-and-control hidden in high-entropy subdomains. BlueVoyant also said two targets are a financial institution in Canada and a global healthcare organization, and assessed the activity with moderate-to-high confidence as an evolution of BlackBasta tactics after the gang's internal chat logs were leaked.
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50