Overview of the Latest Microsoft Teams Phishing Scare
A recent Microsoft Teams phishing campaign adopted techniques akin to those used in Black Basta ransomware attacks, leading to the dissemination of a unique PowerShell backdoor, as per insights from ReliaQuest. This sophisticated campaign, identified in March 2025, exploited a never-before-seen persistence method involving the hijacking of the Windows Type Library (TypeLib), manipulating component object models (COM objects) to execute malicious files.
Initial Breach Tactics
The campaign began with a phishing assault on Microsoft Teams, wherein attackers masqueraded as “Technical Support.” Leveraging the built-in Windows Quick Assist tool, they managed to deploy their malware. Notably, the attacker targeted female executives or those with female-sounding names within key sectors such as finance and technology, timing their phishing attempts strategically during the early afternoon slump.
Diving Deeper: The TypeLib Hijacking Technique
The attacker initiated changes in the Windows Registry targeting the TypeLib path—where information about COM objects is stored. Every time the object is accessed, the altered TypeLib entry triggers the execution of the embedded malicious script. This particular attack focused on components associated with Internet Explorer, which, despite its dwindling usage, remains a component accessed by Explorer.exe during system startup.
Unpacking the Custom PowerShell Backdoor
The malicious script, cleverly concealed within a text file filled with junk code to avoid detection, was stored via a Google Drive link. It encompassed a PowerShell backdoor encapsulated in JScript, executing in a hidden window to establish a command-and-control beacon and maintaining an infinite loop to perpetuate commands from the attacker’s infrastructure. The backdoor execution was then confirmed via an HTTP request to the attacker’s Telegram bot.
Strategies to Combat Similar Phishing and Malware Threats
- Disable external communications: Blocking platforms like Telegram and Google Drive at the network edge.
- Restrict JScript: Disabling or limiting JScript usage can prevent the execution of malicious scripts.
- Enhance security settings: Set Windows Defender Application Control (WDAC) to a highly restrictive level to mitigate the execution of PowerShell scripts often used in malware.
- Consider disabling Windows Script Host (WSH) to stop execution of certain scripts, testing this change to ensure continuity of essential software or processes.
While attributing this campaign to specific threat actors remains challenging, the techniques observed suggest a potential evolution of Black Basta ransomware tactics or indicate a new collaboration within the cybercrime ecosystem. It underscores the importance of vigilant, sophisticated defense mechanisms against the ever-evolving landscape of cyber threats.
Related: Maximize Your Network Protection with Microsoft Defender’s Newest Endpoint Security
Last Updated: April 11, 2025
