Inside a Teams tech support scam with a hidden RAT

Inside a Teams tech support scam with a hidden RAT

Partner: Sophos MSP, Technology solutions provider, Illinois, US

Organization: Legal industry, 25–50 employees, Illinois, US

Solution: Sophos MDR

Adversary behavior

A threat actor infiltrates the organization by impersonating an internal "IT Support" contact within Microsoft Teams. In Teams' default configuration, inbound chats and calls from outside the organization are allowed without pre-approval, and the visual distinction between trusted coworkers and outside parties is minimal. The attacker exploits this design to blend seamlessly into the company's environment, presenting themselves as "IT Support" and appearing almost indistinguishable from an internal resource. The threat actor video-calls a legitimate employee and launches a convincing tech support scam—routine, familiar, and urgent. During the live call, the attacker persuades the user to grant desktop access and installs a remote access Trojan (RAT) directly onto the endpoint. What appears to the user as a normal internal support interaction is in fact the first move in a deeper compromise.

Threat detection

These attacks are common but difficult to detect at scale. They can originate anywhere in the world, target any employee, and unfold through legitimate collaboration activity such as one-to-one chats and live video calls. There is no malicious link to click and no obvious exploit to block—only an interaction that looks routine inside Microsoft Teams. Sophos MDR's automated detection immediately identifies this activity as a Microsoft Teams help desk scam. Through its integration with Microsoft's Management Activity API, Sophos MDR continuously monitors Microsoft 365 unified audit logs and evaluates identity, behavior, and context across Teams activity. In this case, the platform detects an account using an "IT Support" display name and automatically correlates it against the customer's trusted domains. When no trusted relationship exists, Sophos MDR confirms the impersonation attempt and fires a high-confidence alert.

Investigation

Sophos MDR analysts dig deeper, treating the impersonation attempt as a potential entry point rather than an isolated event. This quickly reveals a far more capable adversary operating behind the fake "IT Support" identity. The investigation uncovers the full sequence of events: a 16-minute video call between the attacker and a legitimate user and a custom Java-based RAT installed during that session. The malware disguises itself as "Chrome" to evade casual inspection and is staged from a completely different organization's compromised SharePoint tenant to obscure the attacker's infrastructure. Once installed, the RAT quietly establishes remote control by abusing legitimate Google Cloud services for command-and-control, conducts reconnaissance of the internal environment, and exports that information through attacker-controlled Google Sheets. This gives the attacker a detailed map of the environment—and a clear path toward locating Active Directory and escalating the intrusion. Through rapid, human-led investigation, Sophos MDR exposes the full scope of the attacker's tooling and intent before they can be used to expand the attack.

Response

The customer and MSP operate in Authorize mode, enabling Sophos MDR to act immediately on their behalf. Upon initial detection of the Teams help desk impersonation, Sophos MDR automatically blocks the suspicious "IT Support" account and revokes all active sessions—cutting off the attacker's access within the hour. As the investigation reveals the full extent of the intrusion, Sophos MDR escalates its response. Analysts remove the multi-capability Java RAT and its stealthy persistence mechanisms, isolate the affected endpoint, and ensure the attacker's foothold is fully eradicated. Sophos MDR then guides the customer and MSP through targeted remediation steps: resetting user credentials and browser-stored passwords, rebuilding the impacted device, and tightening Microsoft Teams policies to prevent unsolicited access from outside the organization. By combining automatic, authorized containment with human-led remediation, Sophos MDR not only stops the attack but eliminates the conditions that allowed it to take hold in the first place.