Cybercriminals are increasingly exploiting trusted workplace platforms to bypass security controls, and a newly uncovered campaign shows just how quickly they can gain access to corporate environments.
Researchers at eSentire’s Threat Response Unit (TRU) recently investigated an intrusion targeting a legal sector organization. The attackers used Microsoft Teams voice phishing to convince an employee to grant remote access through Windows Quick Assist.
Less than 20 minutes later, they had deployed Nimbus RAT, a Java-based remote access trojan designed to maintain long-term access to compromised systems.
Attackers turn trusted business platforms into entry points
The operation followed a carefully structured attack chain. The attackers first flooded the victim’s inbox with more than 280 legitimate subscription emails within a short period. The surge of messages created confusion and urgency, making the victim more likely to trust a subsequent contact posing as an internal IT representative.
The fake support agent then contacted the employee through Microsoft Teams and guided them through a series of steps. The victim launched Quick Assist and followed instructions hosted on Pastebin, ultimately allowing the attackers to take control of the device.
The final malware package came from a compromised Microsoft 365 tenant hosted on SharePoint. By using legitimate Microsoft services, the attackers made the download appear trustworthy and reduced the likelihood of raising suspicion.
Researchers found that the downloaded archive contained a malicious Java file bundled with an OpenJDK runtime. This setup allowed the malware to run on virtually any Windows machine, even when Java was not already installed.
Nimbus RAT hides behind Google services
Nimbus RAT stands out because it avoids traditional command-and-control infrastructure. Instead, it communicates through Google Drive and Google Sheets, making its network activity blend into normal enterprise traffic.
The malware retrieves instructions from files stored in attacker-controlled Google Drive accounts and uploads stolen information through the same services. Because many organizations rely heavily on Google’s cloud ecosystem, blocking this traffic without disrupting business operations can be difficult.
Researchers determined that Nimbus RAT supports a broad range of malicious functions, including command execution, file management, registry access, screenshot collection, and the deployment of additional payloads directly into memory.
The malware also includes two separate credential-theft mechanisms. One method displays a fake Windows Security prompt to trick users into entering their passwords. The second leverages the Windows CredUIPromptForCredentialsW API to harvest credentials directly from the operating system.
According to eSentire researchers, both techniques aim to collect multiple password submissions, increasing the attackers’ chances of obtaining valid credentials.
Researchers report surge in team-based attacks
Data collected by eSentire suggests that this campaign is part of a broader trend rather than an isolated incident.
The company reported observing 1,540 suspicious Microsoft Teams interactions across 172 organizations during a 12-month period. Researchers noted a significant increase in activity between December 2025 and March 2026.
Phishing campaigns are proliferating across platforms. Another scheme is targeting Facebook users to steal their passwords, highlighting the diverse targets of social engineering attacks.
According to the report, nearly 65 percent of the attacks originated from disposable Microsoft 365 tenants using onmicrosoft.com domains. The attackers frequently impersonated IT support staff, helpdesk teams, or internal technical personnel.
Infrastructure analysis revealed recurring patterns, including rapid domain registrations, repeated use of hosting-provider IP ranges, and large-scale tenant creation to support campaign growth. In several cases, attackers also abused compromised legitimate tenants, making phishing attempts appear even more credible.
Researchers warned that threat actors are now leveraging trusted software-as-a-service platforms throughout the entire attack lifecycle. Microsoft Teams facilitates initial contact, SharePoint delivers malware, Pastebin hosts instructions, Quick Assist provides remote access, and Google Drive powers command-and-control operations.
Because organizations cannot simply block these widely used services, defenders must focus on behavioral monitoring and cross-layer visibility. Researchers recommend watching for unusual spikes in incoming email traffic, suspicious Quick Assist activity, unexpected Java execution from non-standard directories, and outbound connections to Google APIs that align with other indicators of compromise.
