{"id":221859,"date":"2026-03-09T18:50:00","date_gmt":"2026-03-09T22:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/09\/microsoft-teams-phishing-targets-employees-with-a0backdoor-malware\/"},"modified":"2026-03-10T05:05:13","modified_gmt":"2026-03-10T09:05:13","slug":"microsoft-teams-phishing-targets-employees-with-a0backdoor-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/09\/microsoft-teams-phishing-targets-employees-with-a0backdoor-malware\/","title":{"rendered":"Microsoft Teams phishing targets employees with A0Backdoor malware"},"content":{"rendered":"

Microsoft Teams phishing targets employees with A0Backdoor malware<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-teams-phishing-targets-employees-with-backdoors\/<\/a><\/p>\n

Publish Date: 2026-03-09 18:50:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

Hackers contacted employees at\u00a0financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.<\/p>\n

The attacker relies on social engineering to gain the employee’s trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company’s IT staff, offering assistance with the unwanted messages.<\/p>\n

To obtain access to the target machine, the threat actor instructs the user to\u00a0start a\u00a0Quick Assist remote session, which is used to deploy a malicious toolset that includes digitally signed MSI installers hosted in a\u00a0personal Microsoft cloud storage account.<\/p>\n

According to researchers at cybersecurity company BlueVoyant, the malicious MSI files masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool used by the Phone Link app.<\/p>\n

\"CommandlineCommand line argument to install the malicious CrossDeviceService.exe<\/strong>
Source: BlueVoyant<\/p>\n

Using the DLL sideloading technique with legitimate Microsoft binaries, the attacker deploys a malicious library (hostfxr.dll) that contains compressed or encrypted data. Once loaded in memory, the library decrypts the data into shellcode and transfers execution to it.<\/p>\n

The researchers say that the malicious library also uses the CreateThread function to prevent analysis. BlueVoyant explains that\u00a0the excessive thread creation could cause a debugger to crash, but it does not have a significant impact under normal execution.<\/p>\n

The shellcode performs sandbox detection and then generates a SHA-256-derived key, which it uses to extract the A0Backdoor, which is encrypted using the AES algorithm.<\/p>\n

\"EncryptedEncrypted payload in the shellcode<\/strong>
Source: BlueVoyant<\/p>\n

The malware relocates itself into a new memory region, decrypts its core routines, and relies on Windows API calls (e.g., DeviceIoControl, GetUserNameExW, and GetComputerNameW)\u00a0to collect\u00a0information about the host and…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Teams phishing targets employees with A0Backdoor malware https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-teams-phishing-targets-employees-with-backdoors\/ Publish Date: 2026-03-09 18:50:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":221860,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/02\/17\/Microsoft_Teams.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25,34],"class_list":["post-221859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221859"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=221859"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221859\/revisions"}],"predecessor-version":[{"id":221861,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221859\/revisions\/221861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/221860"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=221859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=221859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=221859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}