Back to Intelligence

Defending Against EtherRAT: Detecting Fake Microsoft Teams IT Support Calls

SA
Security Arsenal Team
July 7, 2026
5 min read

Introduction

Security Arsenal is tracking a sophisticated social engineering campaign where threat actors leverage Microsoft Teams voice calls to impersonate corporate IT support. In this attack, adversaries manipulate employees into installing the EtherRAT malicious software, a Remote Access Trojan (RAT) designed to establish persistent access within corporate environments.

Unlike traditional phishing that relies on email, this vector utilizes the inherent trust placed in internal communication platforms. By bypassing email gateways and appearing as a "colleague" or "support technician," attackers significantly increase the success rate of initial access. Defenders need to act immediately to enforce least privilege communication and detect the behavioral indicators of this RAT.

Technical Analysis

Affected Products & Platforms:

  • Platform: Microsoft Teams (Windows Client)
  • Malware: EtherRAT
  • Delivery Method: Vishing (Voice Phishing) via Teams calls + Social Engineering

Attack Chain Breakdown:

  1. Initial Contact: Threat actors initiate a Microsoft Teams voice call to a target employee, often displaying a spoofed name or using a compromised external tenant account.
  2. The Hook: The actor impersonates IT support, claiming urgent issues requiring the user to install a "fix" or "security update."
  3. Payload Delivery: The user is convinced to download a file (often masquerading as a legitimate utility) or run a PowerShell script provided by the attacker.
  4. Execution: EtherRAT is executed on the endpoint.
  5. C2 & Persistence: The malware establishes a reverse shell or C2 beacon, granting the attacker remote control over the device.

Exploitation Status:

  • Status: Confirmed Active Exploitation (In-the-wild)
  • CVE: N/A (Social Engineering vector)

Detection & Response

This campaign relies on user interaction, but the resulting malware execution and the anomalous behavior of the Teams client launching unauthorized processes are detectable.

Sigma Rules

YAML
---
title: Potential EtherRAT Delivery via Microsoft Teams
id: 8f4a9d1e-2b4c-4f8e-9a1b-3c5d6e7f8a9b
status: experimental
description: Detects potential malware delivery initiated via Microsoft Teams by identifying Teams spawning suspicious shells or script hosts.
references:
  - https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\msteams.exe'
      - '\Teams.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate troubleshooting by IT staff using Teams to guide users
level: high
---
title: Suspicious Unsigned Executable in User Downloads
id: 7a3b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects execution of unsigned binaries from the user Downloads directory, a common tactic for RATs delivered via social engineering.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains: '\Downloads\'
    Signed: 'false'
  filter_legit:
    Image|contains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\edge.exe'
      - '\opera.exe'
  condition: selection and not 1 of filter_legit*
falsepositives:
  - Legitimate portable software executions by developers or engineers
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the process creation anomaly described above, looking for Teams spawning unauthorized child processes.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "msteams.exe" or InitiatingProcessFileName =~ "Teams.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc

Velociraptor VQL

Hunt for unsigned executables running from user profile directories, a common landing spot for malware dropped during these sessions.

VQL — Velociraptor
-- Hunt for unsigned executables in user profiles
SELECT Pid, Name, Exe, CommandLine, Username, Siginfo.SignerName as Signer
FROM pslist()
WHERE Exe =~ 'C:\Users\.*\.exe'
  AND Siginfo.Status != 'TRUSTED'
  AND Name NOT IN ('explorer.exe', 'chrome.exe', 'msedge.exe', 'firefox.exe')

Remediation Script (PowerShell)

Use this script to audit the current endpoint for unsigned binaries in common user directories and review Teams external access settings. Note: Modifying Teams tenant policies requires the Teams PowerShell module and Admin rights; this script focuses on endpoint hardening and discovery.

PowerShell
# Audit for Unsigned Binaries in User Profile (Potential RATs)
Write-Host "[*] Scanning for unsigned executables in user profile..."

$Users = Get-ChildItem "C:\Users" -Directory
$SuspiciousFiles = @()

foreach ($User in $Users) {
    $Paths = @(
        "$($User.FullName)\Downloads",
        "$($User.FullName)\AppData\Local\Temp",
        "$($User.FullName)\Desktop",
        "$($User.FullName)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    )

    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Get-ChildItem -Path $Path -Filter *.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
                $sig = Get-AuthenticodeSignature $_.FullName
                if ($sig.Status -ne 'Valid') {
                    $SuspiciousFiles += [PSCustomObject]@{
                        User = $User.Name
                        Path = $_.FullName
                        Status = $sig.Status
                        Signer = $sig.SignerCertificate.Subject
                    }
                }
            }
        }
    }
}

if ($SuspiciousFiles) {
    Write-Host "[!] Found unsigned executables:" -ForegroundColor Red
    $SuspiciousFiles | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious unsigned executables found in standard paths." -ForegroundColor Green
}

Remediation

Immediate Actions:

  1. Isolate Infected Hosts: If EtherRAT is detected, isolate the affected machine from the network immediately to prevent lateral movement.
  2. User Education: Circulate an urgent security advisory to all staff warning that "IT Support will never ask you to install software via a Teams chat or call."

Microsoft Teams Tenant Hardening:

  1. Restrict External Communication: Configure the Teams Admin Center to block anonymous users or restrict external communication to specific trusted domains only.
    • Path: Teams Admin Center > Users > External access.
  2. Block File Transfers from External Users: If business continuity permits, restrict file transfers from external/unmanaged tenants.

Endpoint Hardening:

  1. Application Allowlisting: Enforce AppLocker or Windows Defender Application Control (WDAC) policies to prevent the execution of unsigned binaries in user profile directories.
  2. Attack Surface Reduction (ASR) Rules: Enable ASR rules specifically:
    • "Block all Office applications from creating child processes"
    • "Block applications from creating child processes" (configure exclusions for legitimate tools)

Incident Response:

  • Treat this as a full breach. Assume credentials may have been harvested via keylogging features common in RATs. Reset credentials for the affected user and perform an audit of their recent access logs.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirmicrosoft-teamsetherratsocial-engineeringremote-access-trojanvishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.