Cybersecurity researchers have uncovered a sophisticated social engineering campaign that uses Microsoft Teams calls to distribute the dangerous DarkGate malware through unauthorized remote access.
According to a report by Trend Micro, attackers first flood victims' email inboxes with thousands of phishing messages before initiating contact via Microsoft Teams. The cybercriminals pose as employees from trusted external suppliers offering technical support.
During the Teams call, attackers persuade victims to install AnyDesk, a remote desktop access tool, after failing to deploy Microsoft Remote Support. Once AnyDesk is installed, the criminals gain control of the victim's system and deploy DarkGate malware through automated scripts.
DarkGate, which has been active since 2018, operates as a malware-as-a-service platform with advanced capabilities including credential theft, keylogging, screen capture, audio recording, and remote desktop control.
"The attacker executed various commands to gather system information and attempted to bypass security controls," said researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta.
While this specific attack was stopped before data theft occurred, experts warn that similar campaigns have previously led to ransomware deployment. To protect against such threats, organizations are advised to:
- Enable multi-factor authentication
- Restrict remote access tools to approved applications only
- Block unverified software installations
- Carefully verify third-party technical support providers
- Train employees to recognize social engineering tactics
The incident highlights how cybercriminals continue to evolve their methods by combining multiple attack vectors - in this case merging email phishing, voice phishing (vishing), and remote access tools to distribute malware.