How Hackers Are Exploiting Microsoft Teams to Spread Malware

In July 2025, a sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams to deploy Matanbuchus 3.0, a potent malware loader. This evolved version of Matanbuchus, available as a Malware-as-a-Service  for as little as $2,500 on crime forums, boasts advanced stealth features like improved communication protocols, in-memory execution, and enhanced obfuscation. According to Morphisec, attackers are using social engineering tactics, impersonating IT help desk personnel via Teams calls to trick employees into granting remote access through Quick Assist. This campaign highlights the growing danger of trusted platforms being weaponized, making it critical for organizations to stay vigilant.

Social Engineering: The Art of Deception

The attack begins with a cunning social engineering ploy where hackers pose as IT support, contacting employees through external Microsoft Teams calls. By convincing users to launch Quick Assist, attackers gain remote access to deploy a malicious PowerShell script that installs Matanbuchus 3.0. This malware loader can then deliver secondary payloads like Cobalt Strike, DanaBot, or QakBot, which are often precursors to ransomware attacks. The use of legitimate tools like Teams and Quick Assist allows attackers to bypass traditional security measures, exploiting the trust employees place in these platforms. This tactic underscores the need for robust employee training on recognizing phishing attempts.

Matanbuchus 3.0: A Malware Powerhouse

Matanbuchus 3.0 is a significant evolution from its predecessors, incorporating features like CMD and PowerShell reverse shell support, and the ability to execute DLL, EXE, and shellcode payloads. Its in-memory capabilities and advanced obfuscation make it particularly difficult for antivirus software to detect. Morphisec’s analysis revealed that the malware’s delivery methods have expanded beyond phishing emails and Google Drive links to include Microsoft Teams as a novel vector. Priced at $15,000 for advanced configurations, this  offering enables even less-skilled cybercriminals to launch devastating attacks, amplifying its threat across industries.

Protecting Your Organization from Teams-Based Attacks

To counter this growing threat, organizations must adopt proactive cybersecurity measures. Restricting external Teams calls and limiting the use of remote access tools like Quick Assist to verified scenarios are critical steps. Implementing phishing-resistant MFA and monitoring network traffic for suspicious activity can further reduce risks. Regular audits of cloud configurations and employee training on social engineering tactics are essential to prevent unauthorized access. Microsoft’s recent collaboration security features for Teams, including real-time link and attachment scanning, offer additional protection but require proper configuration to be effective.

The Future of Cybersecurity in a Teams-Centric World

As remote work continues to rely heavily on platforms like Microsoft Teams, attackers will likely exploit these tools further, blending social engineering with legitimate software to bypass defenses. The Matanbuchus 3.0 campaign is a wake-up call for businesses to rethink their security strategies, emphasizing layered defenses and user awareness. By combining technical safeguards with ongoing education, organizations can mitigate the risks of such sophisticated attacks. Staying ahead in 2025 demands a proactive approach to securing internal communication platforms, ensuring they don’t become gateways for cybercrime.

SOURCE: https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html