UK businesses are being warned about a sophisticated social engineering campaign in which attackers pose as IT support staff on Microsoft Teams to trick employees into installing malware. Researchers at Unit 42, the threat intelligence arm of Palo Alto Networks, have identified the scheme where fraudsters contact workers directly via the messaging platform, claiming to be from the company's internal helpdesk.
The attackers persuade victims to hand over remote control of their computers, ostensibly to fix a technical issue. Once access is granted, the criminals deploy a trojan known as EtherRAT, which can exfiltrate data, capture keystrokes, and give persistent backdoor access to the victim's machine. The campaign appears to target organisations across multiple industries, including finance, legal, and technology sectors.
For UK businesses, the implications are stark. With remote and hybrid working now firmly embedded, reliance on collaboration tools like Microsoft Teams has soared. The UK's Information Commissioner's Office (ICO) has previously stressed that organisations must have robust verification processes for IT support requests. Meanwhile, the European Union's AI Act, which is influencing regulatory thinking in Britain, emphasises the need for transparency and security in digital communications tools.
Dr. Matthew Green, a cybersecurity researcher at the University of Surrey, described the attack as a 'classic social engineering play, but with a modern twist'. He added: 'The use of a trusted platform like Teams lowers the victim's guard. UK companies should implement multi-factor authentication for all remote access requests and train staff to verify any unexpected IT contact via a separate channel.'
The attack highlights a growing trend of 'platform abuse', where criminals exploit legitimate business software to bypass traditional email phishing defences. For the UK economy, a single successful breach can lead to significant financial losses, regulatory fines, and reputational damage. Small and medium-sized enterprises (SMEs), which often lack dedicated cybersecurity teams, are particularly vulnerable.
Unit 42 advises organisations to deploy endpoint detection and response tools, restrict remote access software to authorised users only, and run regular phishing simulations that include Teams-based scenarios. Employees should be reminded that genuine IT staff will never ask for remote access without a prior verified ticket or scheduled appointment.