// Alert

Microsoft 365 threat report

Active social engineering campaign targets Microsoft Teams users via fake IT support calls. Threat actors impersonate helpdesk personnel using external Teams accounts to convince victims to enable screen sharing and install legitimate remote access tools. Attackers then deploy malicious MSI installers that fetch Node.js and execute EtherRAT, a cross-platform remote access trojan capable of command execution, data exfiltration, and persistence. EtherRAT uses Ethereum smart contracts to fetch C2 addresses, complicating remediation. Campaign publicly documented by Palo Alto Networks Unit 42 as of July 2026.

// Get alerts for Microsoft 365