Cybercriminals are deploying sophisticated phishing campaigns that impersonate Microsoft Teams notifications to gain unauthorized access to corporate networks. According to security researcher Cyfirma, these attacks trick employees into installing remote monitoring and management (RMM) software through fraudulent meeting transcripts and digitally signed installers.
How do the Microsoft Teams phishing attacks work?
The attack chain begins with phishing emails designed to mimic legitimate Microsoft Teams alerts. These messages often notify users of missed meetings or available chat transcripts. When a recipient clicks the embedded link, they are directed to a fraudulent landing page that replicates the official Teams interface.
Once on the fake page, users are prompted to download a digitally signed Windows installer. Cyfirma reports that this installer installs an RMM tool in the background, which then connects to attacker-controlled relay servers rather than legitimate corporate infrastructure. This operation has a global footprint, with compromised infrastructure identified in the United States, United Kingdom, Brazil, India, and Russia.
To maintain access to infected systems, the malware employs several persistence mechanisms. These include creating new Windows services, making registry changes to enable execution in safe mode, and using specialized credential-provider files.
What is the Mistic-Backdoor and who uses it?
The threat group known as KongTuke, also referred to as Woodgnat, has been identified as a primary distributor of the Mistic-Backdoor. Since April 2026, this group has targeted educational institutions, IT service providers, and professional service firms using Teams-themed lures.
According to security firms Zscaler and Symantec, Mistic provides attackers with advanced capabilities, including file management, in-memory execution, and password theft via simulated login screens. The malware utilizes DLL side-loading techniques to exploit legitimate Microsoft Defender components, allowing it to evade detection.
Security researchers link these activities to a broader ecosystem where stolen access is sold to various ransomware operations.
Why is AI-driven phishing increasing so rapidly?
The rise in Teams-based phishing coincides with a surge in identity-based attacks powered by artificial intelligence. The EvilTokens platform uses AI to automate the theft of Microsoft authentication tokens. This technology has led to a 1,380% increase in device-code phishing attacks between the start of 2026 and the spring of that year, compared to the latter half of 2025.
The AI components of these attacks can generate individualized phishing lures for specific targets. These tools automatically analyze a victim’s inbox and calendar to plan highly efficient Business Email Compromise (BEC) scenarios.
| Attack Type | Primary Method | Key Risk |
|---|---|---|
| Standard Phishing | Fake meeting notifications | RMM/Remote Access |
| AI-Driven (EvilTokens) | Automated token theft | 1,380% increase in device-code theft |
How are authorities fighting back against these threats?
On June 24, 2026, the Microsoft Digital Crimes Unit (DCU) disrupted significant portions of the malware infrastructure. The operation successfully destroyed over 200 command-and-control (C2) domains associated with the StealC and Amadey malware families.
These specific malware operations had infected more than 140,000 computers during May 2026. The DCU utilized AI-driven analysis tools to identify and dismantle the interconnected networks used by the attackers.
Frequently Asked Questions
What is device-code phishing?
It is a method where attackers trick users into providing a code that allows the attacker to authenticate as the user, bypassing traditional multi-factor authentication.
How can I tell if a Teams notification is fake?
Be cautious of unexpected notifications regarding meeting transcripts or missed calls that require you to download a file or click an external link.
What is RMM software in a security context?
Remote Monitoring and Management software allows IT professionals to manage computers remotely, but in the hands of hackers, it provides a direct gateway into a corporate network.
Stay ahead of evolving cyber threats.
Do you have questions about securing your organization’s authentication tokens? Leave a comment below or subscribe to our newsletter for the latest security intelligence updates.
