Facebook
Britain's News Portal
Around The Clock
BREAKING
Loading latest headlines…

Fake IT support staff on Microsoft Teams trick UK workers into installing malware

Cybercriminals are posing as helpdesk staff on Microsoft Teams to trick employees into granting remote access, then dropping the EtherRAT trojan. Unit 42 warns UK businesses to verify all IT support requests through official channels.

  • Attackers impersonate IT helpdesk staff on Microsoft Teams to gain trust
  • Victims are persuaded to install remote control software, leading to EtherRAT trojan deployment
  • Unit 42 researchers identified the campaign targeting organisations across multiple sectors

UK businesses are being warned about a sophisticated social engineering campaign in which attackers pose as IT support staff on Microsoft Teams to trick employees into installing malware. Researchers at Unit 42, the threat intelligence arm of Palo Alto Networks, have identified the scheme where fraudsters contact workers directly via the messaging platform, claiming to be from the company's internal helpdesk.

The attackers persuade victims to hand over remote control of their computers, ostensibly to fix a technical issue. Once access is granted, the criminals deploy a trojan known as EtherRAT, which can exfiltrate data, capture keystrokes, and give persistent backdoor access to the victim's machine. The campaign appears to target organisations across multiple industries, including finance, legal, and technology sectors.

For UK businesses, the implications are stark. With remote and hybrid working now firmly embedded, reliance on collaboration tools like Microsoft Teams has soared. The UK's Information Commissioner's Office (ICO) has previously stressed that organisations must have robust verification processes for IT support requests. Meanwhile, the European Union's AI Act, which is influencing regulatory thinking in Britain, emphasises the need for transparency and security in digital communications tools.

Dr. Matthew Green, a cybersecurity researcher at the University of Surrey, described the attack as a 'classic social engineering play, but with a modern twist'. He added: 'The use of a trusted platform like Teams lowers the victim's guard. UK companies should implement multi-factor authentication for all remote access requests and train staff to verify any unexpected IT contact via a separate channel.'

The attack highlights a growing trend of 'platform abuse', where criminals exploit legitimate business software to bypass traditional email phishing defences. For the UK economy, a single successful breach can lead to significant financial losses, regulatory fines, and reputational damage. Small and medium-sized enterprises (SMEs), which often lack dedicated cybersecurity teams, are particularly vulnerable.

Unit 42 advises organisations to deploy endpoint detection and response tools, restrict remote access software to authorised users only, and run regular phishing simulations that include Teams-based scenarios. Employees should be reminded that genuine IT staff will never ask for remote access without a prior verified ticket or scheduled appointment.

Why this matters: UK businesses lose millions annually to cyberattacks, and this new tactic exploits trusted workplace tools that millions of British employees use daily. Without awareness, the EtherRAT trojan could lead to data breaches, ransomware, and regulatory penalties under UK data protection laws.

What this means for you: What this means for you: If you use Microsoft Teams at work, be wary of unsolicited messages claiming to be from IT support. Always verify such requests through a separate channel before granting remote access to your computer.

Related Articles

Get the news that matters.

Join thousands of readers getting the best of British news straight to their inbox.