Skip to content
Ready for your next security review? Take the Industrial Security Check
Talk to an Advisor
Talk to an Advisor

Security Alert: Microsoft Teams Used to Spread Malware – Stay Vigilant

Graphic that reads Security Advisory August 22, 2025
Listen: Security Alert: Microsoft Teams Used to Spread Malware – Stay Vigilant
2:39

Cybercriminals are now abusing Microsoft Teams and Quick Assist to install malware directly onto corporate systems with no suspicious links or sketchy downloads. 

The malware in question, Matanbuchus 3.0, is a stealthy, fileless loader that can quietly establish long-term access, deliver additional payloads, and persist inside your network without triggering common antivirus tools. This marks a dangerous shift in how adversaries are weaponizing trusted collaboration platforms. 

Who’s at Risk 

Any organization using Microsoft Teams for internal communications, including cleared defense contractors, is a potential target. These attacks rely on social engineering, not technical vulnerabilities, meaning every user is a potential entry point. 

If your organization allows: 

  • Microsoft Teams voice or video calls from unknown contacts 
  • Remote assistance via Microsoft Quick Assist 
  • IT support via chat or Teams channels 

…then you may already be in scope for this threat. 

How It Works 

  • The victim receives a Teams call from an attacker posing as IT 
  • They’re asked to open Microsoft Quick Assist 
  • Once access is granted, malware is silently deployed using PowerShell 

Why it matters 

Matanbuchus is a malware-as-a-service platform capable of reverse shells, evading antivirus, and downloading additional payloads on command, all while flying under most radar. 

What You Should Do 

  • Treat remote IT requests via Microsoft Teams with high caution 
  • Notify the ISI team if you have received a call similar to what we’ve described 
  • Immediately notify the ISI Cybersecurity Team if you have received a call and provided access to the caller via Microsoft Quick Assist 

How ISI Can Help 

ISI is monitoring abuse of collaboration tools like Teams, Zoom, and Quick Assist. We’ll continue to provide threat insights and mitigation steps as new vectors emerge. If you’ve received a suspicious call, we can help: 

  • Review activity logs 
  • Hunt for persistence mechanisms 
  • Guide containment steps 
  • Coordinate with authorities if needed 

These attackers are exploiting trust, not technology. Just because a request comes through a legitimate platform doesn’t mean that it’s safe. Stay vigilant, report early, and never grant remote access unless you’re absolutely sure of who’s on the other end. 

Stay secure, 
The ISI Cybersecurity Team

Resources: 

 

Related Posts