Attackers are leveraging Microsoft Teams voice calls to deploy EtherRAT malware, impersonating corporate IT support staff to trick employees. The malware provides initial access to corporate networks, a technique known as 'vishing' or voice phishing.

This campaign targets unsuspecting employees, exploiting trust in internal IT communications. EtherRAT is a remote access trojan that can exfiltrate data, deploy additional payloads, and maintain persistence on compromised systems. The attacks appear to be active and ongoing, though the exact scope and number of victims remain undisclosed.

Technically, the attackers initiate unsolicited Teams calls, posing as help desk personnel. They pressure targets into installing remote access software or running malicious scripts, which then deliver EtherRAT. Indicators of compromise include unexpected Teams calls from purported IT staff and unusual software installation prompts.

Mitigation measures include verifying caller identity through alternate channels, restricting remote desktop tool usage, and educating employees about vishing tactics. Microsoft has not issued an official statement, but organizations are advised to implement strict access controls and multi-factor authentication.

Attribution is unclear, but threat actors often use such social engineering to bypass technical defenses. The broader landscape shows a rise in voice-based phishing attacks targeting collaboration tools.