Microsoft Teams Quick Assist A0Backdoor phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Microsoft Teams phishing campaign is tricking employees at financial and healthcare organizations into starting Quick Assist remote sessions, creating an immediate path to remote access and malware delivery. The operation uses spam flooding and IT impersonation to build trust, then deploys A0Backdoor through signed installers and DLL sideloading. It also hides command-and-control in DNS MX traffic, making the activity harder to detect.
Related Happenings
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
H score26
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
KongTuke Microsoft Teams initial access campaign
Campaign
H score42
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Snow malware suite deployment by UNC6692
Malware Activity
H score29
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Timeline
-
09.03.2026 02:00 2 articles · 4mo ago
Microsoft Teams Quick Assist phishing campaign disclosed
Initial DisclosureBlueVoyant disclosed a phishing campaign targeting employees at financial and healthcare organizations by flooding inboxes with spam, then using Microsoft Teams impersonation and Quick Assist remote-session abuse to gain access and deploy A0Backdoor. The reported delivery chain uses digitally signed MSI installers, DLL sideloading through hostfxr.dll, in-memory decryption into shellcode, and DNS MX-based command-and-control hidden in high-entropy subdomains. BlueVoyant also said two targets are a financial institution in Canada and a global healthcare organization, and assessed the activity with moderate-to-high confidence as an evolution of BlackBasta tactics after the gang's internal chat logs were leaked.
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50