Understanding the Microsoft Teams hacking attempts and how to keep your business safe.
As its use becomes more widespread, attackers are homing in on Microsoft Teams hacking attempts, finding new ways to exploit it, particularly through social engineering attacks. Collaboration platforms everywhere face the same threat of being targeted with the shift to remote & hybrid work making proactive end-user training more critical than everywhere.
One malware strain that is frequently used in these campaigns is Matanbuchus, a stealthy loader designed to deliver malicious payloads while evading detection. Recent incidents propelled by the evolved Matanbuchus 3.0 update show how attackers are leveraging Teams to impersonate internal staff, gain remote access, and deploy malware in real time.
What Is Matanbuchus?
Matanbuchus is a malware-as-a-service (MaaS) loader that enables threat actors to deliver a range of payloads, including ransomware, shellcode, and penetration testing tools like Cobalt Strike. It is engineered for stealth and often executes entirely in memory to avoid triggering antivirus alerts.
Its modular architecture allows attackers to tailor their approach based on the target environment. This makes it a versatile and dangerous tool in the hands of cybercriminals.
How Hackers Exploit Microsoft Teams
One recent example involved hackers initiating what was essentially a Teams phishing attack by making external Microsoft Teams calls while posing as internal IT support. During the interaction, they persuaded employees to launch Microsoft’s Quick Assist tool, granting remote access. Once connected, the attackers guided users through executing a script that silently installed the Matanbuchus Loader. This allowed them to bypass traditional security measures and establish a foothold within the system.
This method is particularly effective because it combines real-time human interaction with trusted enterprise tools. The attack feels legitimate and urgent, which increases the likelihood of success.
Why Social Engineering Works
Social engineering attacks succeed because they exploit human behavior rather than technical vulnerabilities. Attackers use psychological tactics such as:
- Urgency: “We need to fix this immediately to avoid downtime.”
- Authority: “I’m from IT. I need your help to resolve a system issue.”
- Familiarity: Leveraging tools employees already trust, like Teams and Quick Assist.
These tactics create a sense of pressure and legitimacy. This makes it easier for attackers to manipulate users into taking actions they normally wouldn’t.
Why Collaboration Platforms Are a Target
Collaboration tools like Microsoft Teams, Slack, Zoom, and others have become essential to how organizations operate. They enable real-time communication, remote support, file sharing, and project coordination across distributed teams. However, their convenience and ubiquity also make them attractive targets for cybercriminals.
Attackers exploit the trust users place in these platforms. When a message, call, or file comes through a familiar interface, it often bypasses the skepticism that might be applied to an email or unknown website. Features like external messaging, screen sharing, and remote access via Teams, Slack, etc… through integrations can be manipulated to impersonate internal staff or deliver malicious content.
Without proper controls and user awareness, these platforms can become entry points for social engineering attacks that are difficult to detect and even harder to stop once initiated.
How Businesses Can Protect Themselves
1. Train Employees to Recognize Threats
- Simulate impersonation scenarios to build awareness.
- Encourage verification of IT support requests through separate channels.
- Promote a culture of healthy skepticism around urgent or unexpected requests.
- Leverage security training platforms to continuously and proactively keep your end users prepared for evolving threats.
2. Limit External Access
- Review and adjust Teams federation settings to restrict external calls.
- Disable or limit Quick Assist where it is not essential.
3. Strengthen Endpoint and Network Security
- Use advanced endpoint detection tools to identify in-memory execution and suspicious behavior.
- Monitor for encrypted command-and-control traffic and unusual user-agent activity.
4. Keep Systems Up to Date
- Regularly patch collaboration and remote access tools.
- Audit and remove unnecessary remote administration utilities.
Final Thoughts
Cyber threats are constantly evolving, and attackers are becoming more sophisticated in how they target the human side of security as we’ve seen with the Teams phishing attacks. By impersonating trusted personnel and using familiar tools, they can bypass technical defenses and gain direct access to systems. The recent use of Matanbuchus malware is a clear example of how social engineering can turn everyday collaboration tools into attack vectors.
Protecting against these threats takes more than just technology. It requires a layered approach that includes smart security controls, regular system updates, and most importantly, ongoing education and awareness. When employees understand what to look for and feel empowered to question suspicious activity, they become a critical part of your cybersecurity strategy.
Let’s Make Your Team the First Line of Defense
Your people are your greatest asset and your strongest defense against social engineering attacks. With the right training, they can recognize threats before they cause harm. We make it easy to bring in top-tier cybersecurity awareness programs like KnowBe4. Our procurement services are designed to help you source, implement, and scale training that fits your organization’s unique needs.
Want to learn more about how we can support your security goals?
Reach out today and let’s build a safer, more informed workplace together.