Back to Intelligence

ModeloRAT Campaign Analysis: Microsoft Teams to Domain Compromise Detection Guide

SA
Security Arsenal Team
May 13, 2026
10 min read

Excerpt

Attackers are abusing Microsoft Teams for initial access, deploying ModeloRAT to compromise enterprise domains. Detect and respond to this emerging threat.

Introduction

Rapid7 recently investigated a sophisticated intrusion campaign that leverages Microsoft Teams as an initial access vector, demonstrating how trusted collaboration platforms can become attack surfaces when abused through social engineering. This campaign, dubbed ModeloRAT, involves attackers impersonating IT support personnel through Teams messages to trick employees into executing malicious payloads.

What makes this attack particularly concerning is how quickly it escalates from a simple Teams conversation to full domain compromise. Attackers leverage the inherent trust employees place in collaboration platforms and IT support communications to bypass traditional perimeter defenses. Once initial access is achieved, the ModeloRAT malware facilitates credential theft, privilege escalation, lateral movement, and data exfiltration.

Defenders need to act now to detect these activities and harden their Microsoft Teams environment against this abuse. As organizations increasingly rely on collaboration platforms, the security of these tools becomes paramount to preventing enterprise-wide compromise.

Technical Analysis

Affected Products & Platforms

  • Microsoft Teams (all versions)
  • Microsoft 365 / Azure AD environments
  • Windows enterprise environments (Active Directory)

Attack Chain Breakdown

  1. Initial Access: Attackers create or compromise Microsoft Teams accounts with user profiles resembling IT support personnel. They then initiate conversations with targeted employees, often using urgency or official-sounding language to convince users to click links or download files.

  2. Payload Delivery: Through the Teams chat, attackers deliver malicious files or links that deploy ModeloRAT, a remote access Trojan designed to provide attackers with control over the victim system.

  3. Establish Persistence: ModeloRAT establishes persistence through scheduled tasks, registry modifications, or other standard mechanisms, ensuring continued access even after system reboots.

  4. Privilege Escalation: Using living-off-the-land binaries (LOLBins) and exploiting local misconfigurations, the malware elevates privileges to gain administrative access on the compromised system.

  5. Credential Theft: The RAT extracts stored credentials from browsers, credential managers, and system memory, harvesting authentication tokens for further lateral movement.

  6. Lateral Movement: Using the obtained credentials, attackers move across the network, identifying and compromising additional systems of interest.

  7. Exfiltration: Finally, data of interest is identified, collected, and exfiltrated to attacker-controlled infrastructure.

Exploitation Status

This attack represents confirmed active exploitation in the wild. While not leveraging a specific CVE, it exploits trust relationships and social engineering vulnerabilities rather than technical software vulnerabilities. The technique has been documented in multiple enterprise intrusions, with the initial access vector being the novelty in this campaign.

Technical Indicators of ModeloRAT

  • Execution of unusual processes following Teams activity
  • Creation of scheduled tasks from unusual parent processes
  • Network connections to known C2 infrastructure
  • PowerShell or CMD execution with encoded commands
  • Registry modifications in persistence mechanisms
  • Unusual access to LSASS memory for credential dumping

Detection & Response

Sigma Rules

YAML
---
title: Potential ModeloRAT Initial Access via Microsoft Teams
id: 3d7c9b51-9b47-45a7-bb23-8d486f732c18
status: experimental
description: Detects potential initial access of ModeloRAT through suspicious Microsoft Teams activity followed by process execution
references:
  - https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise
author: Security Arsenal
date: 2023/04/06
tags:
  - attack.initial_access
  - attack.t1566
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentProcess|contains:
      - 'Teams.exe'
      - 'msteams.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate Teams use of administrative tools (rare)
level: high
---
title: ModeloRAT Persistence via Scheduled Task
id: 8f1b9a42-2d68-4e87-a935-7d612e345a1c
status: experimental
description: Detects creation of scheduled tasks from unusual processes that may indicate ModeloRAT persistence
references:
  - https://attack.mitre.org/techniques/T1053/005/
author: Security Arsenal
date: 2023/04/06
tags:
  - attack.persistence
  - attack.t1053.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains:
      - '/create'
      - '/sc'
  filter_legit:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection and not filter_legit
falsepositives:
  - System administration activities
level: medium
---
title: ModeloRAT Credential Dumping Behavior
id: 2c3e8f19-4a57-4d3b-9e78-1d2f3b4c5a6e
status: experimental
description: Detects potential credential dumping activity associated with ModeloRAT
references:
  - https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2023/04/06
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rundll32.exe'
      - '\taskmgr.exe'
      - '\procdump.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'comsvcs.dll'
      - 'MiniDump'
      - 'lsass'
      - 'Get-Process lsass'
  condition: selection
falsepositives:
  - Legitimate system debugging activities (rare)
level: high

KQL Queries for Microsoft Sentinel/Defender

KQL — Microsoft Sentinel / Defender
// Detect suspicious process execution following Teams activity
let TimeWindow = 1h;
let SuspiciousProcesses = dynamic(['powershell.exe', 'cmd.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'regsvr32.exe']);
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where InitiatingProcessFileName in~ ('Teams.exe', 'msteams.exe') 
| where FileName in~ SuspiciousProcesses
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// Detect unusual scheduled task creation
let TimeWindow = 1h;
let ScheduledTaskCreation = DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName =~ 'schtasks.exe'
| where ProcessCommandLine contains '/create' and ProcessCommandLine contains '/sc'
| where InitiatingProcessFileName !in~ ('explorer.exe', 'cmd.exe', 'powershell.exe', 'services.exe', 'svchost.exe')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId
| order by Timestamp desc
ScheduledTaskCreation

// Detect potential credential dumping
DeviceProcessEvents
| where Timestamp > ago(1d)
| where (FileName in~ ('rundll32.exe', 'taskmgr.exe', 'procdump.exe', 'powershell.exe') and 
        ProcessCommandLine has_any ('comsvcs.dll', 'MiniDump', 'lsass', 'Get-Process lsass'))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc

// Detect network connections to suspicious domains following Teams usage
let TeamsProcesses = DeviceProcessEvents
| where FileName in~ ('Teams.exe', 'msteams.exe')
| distinct DeviceId, DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where DeviceId in (TeamsProcesses)
| where RemoteUrl matches regex @'[a-z0-9\-\.]+\.(tk|ml|ga|cf|gq|top|xyz|pw|cc|club|online)' 
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious process execution patterns related to ModeloRAT
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ '(Teams|msteams)\.exe$'
   AND Name IN ('powershell.exe', 'cmd.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'regsvr32.exe')

-- Hunt for suspicious scheduled tasks that may indicate persistence
SELECT TaskName, Author, Enabled, State, LastRunTime, NextRunTime, Command, Arguments
FROM schedli.task()
WHERE Enabled = TRUE
   AND (Author != "Microsoft Corporation" AND Author != "Microsoft")
   AND (CommandLine =~ 'powershell' OR CommandLine =~ 'cmd' OR CommandLine =~ 'regsvr32')

-- Hunt for suspicious network connections from Teams process
SELECT Pid, Name, RemoteAddress, RemotePort, State, Family
FROM netstat()
WHERE Name =~ '(Teams|msteams)\.exe$'
   AND (RemoteAddress NOT IN ("0.0.0.0", "127.0.0.1", "::") AND RemotePort NOT IN (80, 443))

-- Hunt for suspicious file artifacts in common download locations
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='*/Downloads/*.exe', root='C:/Users/*')
WHERE Mtime > now() - 7d
   AND Size < 10MB

Remediation Script (PowerShell)

PowerShell
# ModeloRAT Detection and Remediation Script
# This script helps detect and remediate potential ModeloRAT infections

# Check for suspicious scheduled tasks that may be used for persistence
Write-Host "Checking for suspicious scheduled tasks..."
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Author -notmatch "Microsoft" -and 
    $_.State -eq "Ready" -and 
    $_.Actions.Execute -match "(powershell|cmd|regsvr32)" 
}

if ($suspiciousTasks) {
    Write-Host "Found suspicious scheduled tasks:"
    $suspiciousTasks | ForEach-Object { Write-Host "- $($_.TaskName): $($_.Actions.Execute)" }
    
    # Prompt user before removal
    $response = Read-Host "Do you want to remove these tasks? (y/n)"
    if ($response -eq 'y') {
        $suspiciousTasks | Unregister-ScheduledTask -Confirm:$false
        Write-Host "Tasks removed successfully."
    }
} else {
    Write-Host "No suspicious scheduled tasks found."
}

# Check for suspicious registry entries in common persistence locations
Write-Host "Checking registry persistence mechanisms..."
$suspiciousRegKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$foundSuspiciousReg = $false

foreach ($regKey in $suspiciousRegKeys) {
    $items = Get-Item $regKey -ErrorAction SilentlyContinue
    if ($items) {
        foreach ($item in $items.Property) {
            $value = Get-ItemProperty -Path $regKey -Name $item -ErrorAction SilentlyContinue
            if ($value.$item -match "(powershell|cmd|regsvr32)\." -and $value.$item -notmatch "Program Files" -and $value.$item -notmatch "Windows") {
                Write-Host "Suspicious registry entry found in $regKey:"
                Write-Host "- $item = $($value.$item)"
                $foundSuspiciousReg = $true
                
                # Prompt user before removal
                $response = Read-Host "Do you want to remove this registry entry? (y/n)"
                if ($response -eq 'y') {
                    Remove-ItemProperty -Path $regKey -Name $item -Force
                    Write-Host "Registry entry removed successfully."
                }
            }
        }
    }
}

if (-not $foundSuspiciousReg) {
    Write-Host "No suspicious registry entries found."
}

# Check for suspicious processes spawned from Teams
Write-Host "Checking for suspicious processes spawned from Teams..."
$teamsProcesses = Get-Process -Name "Teams", "msteams" -ErrorAction SilentlyContinue
$suspiciousChildProcesses = @()

foreach ($teams in $teamsProcesses) {
    Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq $teams.Id } | ForEach-Object {
        if ($_.Name -match "^(powershell|cmd|wscript|cscript|regsvr32)\.exe$") {
            $suspiciousChildProcesses += $_
            Write-Host "Suspicious child process found: $($_.Name) with PID: $($_.ProcessId)"
            Write-Host "Command line: $($_.CommandLine)"
            
            # Prompt user before termination
            $response = Read-Host "Do you want to terminate this process? (y/n)"
            if ($response -eq 'y') {
                Stop-Process -Id $_.ProcessId -Force
                Write-Host "Process terminated successfully."
            }
        }
    }
}

if (-not $suspiciousChildProcesses) {
    Write-Host "No suspicious child processes found from Teams."
}

# Check for recent suspicious files in Downloads folders
Write-Host "Checking for suspicious files in user Downloads folders..."
$userProfiles = Get-ChildItem "C:\Users" -Directory
$recentSuspiciousFiles = @()

foreach ($profile in $userProfiles) {
    $downloadsPath = Join-Path $profile.FullName "Downloads"
    if (Test-Path $downloadsPath) {
        $recentFiles = Get-ChildItem $downloadsPath -File -Filter "*.exe" -ErrorAction SilentlyContinue | 
                        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) -and $_.Length -lt 10MB }
        
        foreach ($file in $recentFiles) {
            # Check file signature
            $signature = Get-AuthenticodeSignature $file.FullName
            if ($signature.Status -ne "Valid") {
                Write-Host "Suspicious unsigned or invalidly signed file found: $($file.FullName)"
                $recentSuspiciousFiles += $file
                
                # Prompt user before removal
                $response = Read-Host "Do you want to remove this file? (y/n)"
                if ($response -eq 'y') {
                    Remove-Item $file.FullName -Force
                    Write-Host "File removed successfully."
                }
            }
        }
    }
}

if (-not $recentSuspiciousFiles) {
    Write-Host "No suspicious recent files found in Downloads folders."
}

Write-Host "Remediation check completed."

Remediation

Immediate Actions

  1. Identify Compromised Accounts:

    • Review Microsoft Teams audit logs for messages from external or recently created accounts
    • Look for Teams conversations from users claiming to be "IT Support" that don't match your organization's naming convention
    • Check for anomalous Teams activity from accounts that haven't been active recently

  2. Contain Compromised Systems:

    • Isolate systems suspected of infection from the network
    • Revoke and reset credentials for potentially compromised accounts
    • Terminate suspicious processes identified during investigation

  3. Remove Malware Artifacts:

    • Delete malicious files identified during investigation
    • Remove suspicious scheduled tasks created by the malware
    • Clean registry entries used for persistence

  4. Harden Microsoft Teams Security:

    • Implement policies to restrict external Teams communications
    • Configure Teams to only allow communication from verified internal domains
    • Enable and configure Microsoft Defender for Office 365 to scan Teams attachments
    • Implement Multi-Factor Authentication (MFA) for all users
    • Educate employees about social engineering through collaboration platforms

Long-term Protections

  1. Implement Conditional Access Policies:

    • Require device compliance for Teams access
    • Enforce location-based restrictions for sensitive operations
    • Implement risky sign-in detection and response

  2. Enhance Monitoring:

    • Deploy advanced hunting rules for Teams activity
    • Implement monitoring for process execution following Teams usage
    • Set up alerts for suspicious credential access and dumping activities

  3. Security Awareness Training:

    • Conduct training focused on identifying social engineering in collaboration platforms
    • Establish clear verification processes for IT support requests
    • Create easy reporting channels for suspicious Teams messages

  4. Least Privilege Implementation:

    • Enforce principle of least privilege for all user accounts
    • Review and reduce unnecessary admin privileges
    • Just-in-time access for administrative tasks

Vendor Resources

CISA Recommendations

While this specific campaign doesn't have a CVE, the CISA recommendations for securing collaboration platforms and defending against social engineering apply:

  • Implement robust identity and access management
  • Monitor for unusual activity in collaboration platforms
  • Establish verification procedures for unsolicited technical support requests
  • Regularly review and audit access permissions

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionmodeloratmicrosoft-teamssocial-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action