Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Teams Quick Assist A0Backdoor phishing campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

The Microsoft Teams phishing campaign is tricking employees at financial and healthcare organizations into starting Quick Assist remote sessions, creating an immediate path to remote access and malware delivery. The operation uses spam flooding and IT impersonation to build trust, then deploys A0Backdoor through signed installers and DLL sideloading. It also hides command-and-control in DNS MX traffic, making the activity harder to detect.

Related Happenings

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

KongTuke Microsoft Teams initial access campaign

Campaign
H score42 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Snow malware suite deployment by UNC6692

Malware Activity
H score29 First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Timeline

  1. 09.03.2026 02:00 2 articles · 4mo ago

    Microsoft Teams Quick Assist phishing campaign disclosed

    Initial Disclosure

    BlueVoyant disclosed a phishing campaign targeting employees at financial and healthcare organizations by flooding inboxes with spam, then using Microsoft Teams impersonation and Quick Assist remote-session abuse to gain access and deploy A0Backdoor. The reported delivery chain uses digitally signed MSI installers, DLL sideloading through hostfxr.dll, in-memory decryption into shellcode, and DNS MX-based command-and-control hidden in high-entropy subdomains. BlueVoyant also said two targets are a financial institution in Canada and a global healthcare organization, and assessed the activity with moderate-to-high confidence as an evolution of BlackBasta tactics after the gang's internal chat logs were leaked.

    Show sources