What happened
Attackers used a social-engineering campaign involving Microsoft Teams and the built-in Windows remote assistance tool Quick Assist to deliver a stealthy malware called A0Backdoor to victims in the finance and healthcare sectors. The group, tracked as Blitz Brigantine, Storm-1811, and STAC5777, first flooded targets with spam emails, then contacted them through Teams while posing as IT support staff offering help. Once victims granted remote access through Quick Assist, the attackers installed digitally signed MSI packages disguised as legitimate Microsoft software, which used DLL sideloading to load the A0Backdoor malware. Researchers from BlueVoyant found the malware communicates through DNS tunneling using public resolvers and lapsed domains, making detection more difficult while allowing attackers to maintain long-term access.Â
Who is affected
Professionals in the finance and healthcare sectors are affected, particularly organizations where employees can be contacted through Microsoft Teams and persuaded to grant remote access via Quick Assist.Â
Why CISOs should care
The campaign shows how attackers can combine social engineering with trusted collaboration and remote support tools to gain access, install stealthy malware, and evade common detection methods through DNS-based command-and-control traffic.Â
3 practical actions
- Restrict Quick Assist usage. Limit or disable unsolicited remote access sessions across enterprise environments.Â
- Control external Microsoft Teams access. Reduce contact from unrecognized tenants that may be used for social-engineering attacks.Â
- Monitor for MSI and DNS tunneling indicators. Investigate suspicious MSI installers in user directories and abnormal DNS MX queries through public resolvers.Â
For more reporting on threats involving credential-stealing malware, explore our latest coverage under the Malware tag.