The attack begins with a cunning social engineering ploy where hackers pose as IT support, contacting employees through external Microsoft Teams calls. By convincing users to launch Quick Assist, attackers gain remote access to deploy a malicious PowerShell script that installs Matanbuchus 3.0. This malware loader can then deliver secondary payloads like Cobalt Strike, DanaBot, or QakBot, which are often precursors to ransomware attacks. The use of legitimate tools like Teams and Quick Assist allows attackers to bypass traditional security measures, exploiting the trust employees place in these platforms. This tactic underscores the need for robust employee training on recognizing phishing attempts.
Matanbuchus 3.0 is a significant evolution from its predecessors, incorporating features like CMD and PowerShell reverse shell support, and the ability to execute DLL, EXE, and shellcode payloads. Its in-memory capabilities and advanced obfuscation make it particularly difficult for antivirus software to detect. Morphisec’s analysis revealed that the malware’s delivery methods have expanded beyond phishing emails and Google Drive links to include Microsoft Teams as a novel vector. Priced at $15,000 for advanced configurations, this offering enables even less-skilled cybercriminals to launch devastating attacks, amplifying its threat across industries.
To counter this growing threat, organizations must adopt proactive cybersecurity measures. Restricting external Teams calls and limiting the use of remote access tools like Quick Assist to verified scenarios are critical steps. Implementing phishing-resistant MFA and monitoring network traffic for suspicious activity can further reduce risks. Regular audits of cloud configurations and employee training on social engineering tactics are essential to prevent unauthorized access. Microsoft’s recent collaboration security features for Teams, including real-time link and attachment scanning, offer additional protection but require proper configuration to be effective.
As remote work continues to rely heavily on platforms like Microsoft Teams, attackers will likely exploit these tools further, blending social engineering with legitimate software to bypass defenses. The Matanbuchus 3.0 campaign is a wake-up call for businesses to rethink their security strategies, emphasizing layered defenses and user awareness. By combining technical safeguards with ongoing education, organizations can mitigate the risks of such sophisticated attacks. Staying ahead in 2025 demands a proactive approach to securing internal communication platforms, ensuring they don’t become gateways for cybercrime.
SOURCE: https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html