top of page
Search

How Hackers Are Exploiting Microsoft Teams — and What It Means for the Future of Social Engineering

  • Writer: TrustSphere - GTM
    TrustSphere - GTM
  • Sep 2
  • 3 min read
ree

Collaboration platforms like Microsoft Teams, Zoom, and Slack have become indispensable in today’s workplace. But as organizations rely more on digital communication, attackers are adapting just as quickly — turning trusted platforms into attack vectors for social engineering campaigns.


Recent research from Morphisec has highlighted a concerning trend: attackers are now using Microsoft Teams calls to deliver the Matanbuchus malware loader, a stealthy malware-as-a-service tool that often precedes ransomware deployment.


This isn’t just a new tactic. It’s a clear signal of how cybercriminals are evolving: blending technical exploitation with human manipulation to bypass defenses.


The Microsoft Teams Attack: A Walkthrough


Here’s how one of the latest attacks unfolded:


  • Step 1: Impersonation. Attackers posed as IT helpdesk staff during a Teams call, creating an atmosphere of legitimacy.


  • Step 2: Remote support abuse. They activated Microsoft’s Quick Assist feature, walking employees step-by-step through the process.


  • Step 3: Malicious file execution. Victims were convinced to run a script that installed the Matanbuchus Loader, disguised within a renamed Notepad++ updater and malicious DLL files.


  • Step 4: Persistence. Once installed, Matanbuchus quietly created scheduled tasks using advanced COM-based techniques, ensuring it could maintain access and dial home undetected.


The sophistication of this attack lies less in the malware itself, and more in the trust exploitation — employees thought they were cooperating with their own IT team.


Why This Tactic Works


Three factors make collaboration platforms like Teams ripe for exploitation:


  1. Trust by default. Employees are conditioned to trust internal collaboration tools more than email. A Teams call doesn’t trigger the same suspicion as a random email with an attachment.


  2. Blurring of IT boundaries. With hybrid work and outsourced IT, employees often don’t know who “official IT” is — making impersonation easier.


  3. Human urgency. Attackers apply subtle pressure, convincing employees they must act quickly to resolve a supposed technical issue.


This mix of familiar technology and manipulated psychology makes for a potent social engineering cocktail.


Beyond Teams: Expanding the Attack Surface


This case is part of a larger pattern. Social engineering tactics are being layered into new and unexpected channels:


  • Email remains central, but attackers are moving beyond simple phishing to exploit DMARC gaps, “mailto” phishing tricks, and cloud email weaknesses.


  • Messaging apps like WhatsApp, WeChat, and Telegram are frequently abused in the Asia-Pacific region, where consumer-business communication often flows through these channels.


  • Voice phishing (vishing) continues to thrive, with scammers impersonating service providers and convincing victims to pay with gift cards or fraudulent transfers.


The lesson: organizations cannot afford to treat any communication channel as inherently safe.


The Asia-Pacific Context


The APAC region presents unique challenges — and opportunities — when it comes to defending against these hybrid social engineering threats:


  • In Singapore, regulators like the Monetary Authority of Singapore (MAS) have repeatedly warned about the risks of social engineering in scam-based transfers, urging banks to implement stronger customer verification and warning prompts.


  • In Hong Kong, collaboration platforms are heavily used across financial services, and recent cases have shown attackers using them to target traders with malware disguised as compliance updates.


  • In Australia, the Australian Cyber Security Centre (ACSC) has reported significant growth in business email compromise (BEC) and messaging-based scams, often targeting SMEs that lack strong training and layered defenses.


  • In India and the Philippines, widespread reliance on consumer messaging apps for customer engagement makes social engineering attacks particularly effective at scale.

Across the region, the common denominator is human vulnerability — attackers don’t need to break into systems if they can simply trick someone into letting them in.


Defense: A Multi-Layered Approach


So, how can organizations defend against this evolving threat landscape?


  1. Technical safeguards.

    • Deploy advanced endpoint detection capable of identifying side-loading techniques (like those used by Matanbuchus).

    • Secure remote support tools (Quick Assist, AnyDesk, TeamViewer) with strict policies and monitoring.

    • Invest in cloud email security that supplements DMARC, SPF, and DKIM to catch sophisticated phishing.


  2. Process and governance.

    • Define clear procedures for IT support — employees should know exactly how legitimate IT staff will contact them.

    • Enforce “out-of-band” verification for sensitive requests, e.g., requiring employees to call a known IT hotline before executing scripts.


  3. Human layer.

    • Regular security awareness training remains the last and most critical line of defense.

    • Simulated phishing and social engineering exercises should expand beyond email to include calls, Teams/Zoom, and messaging apps.


The Bigger Picture


What these attacks underscore is a simple truth: technology alone isn’t enough. Attackers increasingly blend malware with manipulation, and every communication platform is fair game.


Organizations that build resilience across people, process, and technology will be far better positioned to resist these new attack vectors.


The Teams attack is just the latest example of how the cyber threat landscape is shifting. The question for leaders across Asia-Pacific — and globally — is: are your defenses shifting too?


 
 
 

Comments

Recommended by TrustSphere

Atfinity


 

Izengard


 

Trefis


 

Noto360



 

Thetaray


 


Regulation Asia


 


FCC Analytics

 

Futurum



 



Darwinium


 

Arkose Labs


 

SumSub



 

FinanceX



 

FullArmor



 

Clari5



 

© 2024 TrustSphere.ai. All Rights Reserved.

hello@trustsphere.ai

  • LinkedIn

AML Watcher


 

Relevance.ai



 

LevelFive



 

Disclaimer for TRUSTSPHERE.AI

The content provided on the TRUSTSPHEREAI website is intended for informational purposes only. While we strive to provide accurate and up-to-date information, the data and insights presented are generated from a contributory network and consolidated largely through artificial intelligence. As such, the information may not be comprehensive, and we do not guarantee the accuracy, reliability, or completeness of any content.  Users are advised that important decisions should not be made based solely on the information provided on this website. We encourage users to seek professional advice and conduct their own research prior to making any significant decisions.  TruststSphere Partners is a consulting business. For a comprehensive review, analysis, or support on Technology Assessment, Strategy, or go-to-market strategies, please contact us to discuss a customized engagement project.   TRUSTSPHERE.AI, its affiliates, and contributors shall not be liable for any loss or damage arising from the use of or reliance on the information provided on this website. By using this site, you acknowledge and accept these terms.   If you have further questions,  require clarifications, or requests for removal or content or changes please feel free to reach out to us directly.  we can be reached at hello@trustsphere.ai

bottom of page