What Is the EtherRAT Microsoft Teams Attack?
EtherRAT Microsoft Teams attacks represent a dangerous new threat vector that Australian businesses must take seriously. Cybercriminals are now exploiting Microsoft Teams voice calls to impersonate corporate IT support staff, tricking unsuspecting employees into installing the EtherRAT malware directly onto company systems. This sophisticated social engineering campaign gives attackers immediate access to corporate networks, bypassing traditional email-based security controls entirely.
First reported by BleepingComputer in July 2026, this attack methodology demonstrates how threat actors continue to evolve their tactics. By leveraging the trusted communication platform that millions of businesses rely on daily, attackers have found a highly effective way to breach organisational defences.
“Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks.”
— Source: BleepingComputer
How Does This EtherRAT Attack Work?
Understanding the attack methodology is crucial for implementing effective defences. The EtherRAT Microsoft Teams campaign follows a carefully orchestrated sequence designed to exploit human trust and corporate communication norms.
Initial Contact and Social Engineering
Attackers begin by initiating voice calls through Microsoft Teams, often using display names that mimic legitimate IT department naming conventions. They may reference recent system updates, security patches, or known technical issues to establish credibility with their targets.
The social engineering techniques employed are highly sophisticated. Attackers often:
- Research target organisations through LinkedIn and company websites
- Time calls during busy periods when employees are less vigilant
- Use technical jargon to appear legitimate
- Create artificial urgency around “critical security updates”
- Reference real internal systems or recent company announcements
Malware Deployment Phase
Once trust is established, the attacker guides the victim through installing what they claim is a legitimate remote support tool or security update. In reality, victims download and execute the EtherRAT remote access trojan, which immediately establishes persistence on the compromised system.
EtherRAT provides attackers with comprehensive capabilities including:
- Full remote desktop control
- Keylogging and credential harvesting
- File system access and data exfiltration
- Lateral movement across corporate networks
- Deployment of additional malware payloads
Why Are Microsoft Teams Attacks So Effective?
Microsoft Teams has become ubiquitous in modern workplaces, particularly since the shift toward remote and hybrid working models. This widespread adoption creates a perfect environment for attackers to exploit.
Trust factors play a significant role in the success of these attacks. Employees inherently trust internal communication platforms more than external emails or phone calls. When a call comes through Teams, there’s an implicit assumption that the caller has some legitimate connection to the organisation.
Additionally, many organisations have configured Teams to allow external communications, enabling attackers to initiate contact without requiring compromised internal accounts. This configuration gap represents a significant vulnerability that security teams must address.
Business Impact and Risk Assessment
The consequences of a successful EtherRAT infection extend far beyond the initially compromised endpoint. Organisations face multiple layers of risk that can escalate rapidly.
Immediate Technical Risks
Once EtherRAT establishes a foothold, attackers typically move quickly to escalate privileges and spread laterally across the network. This initial access often serves as the precursor to more damaging attacks, including:
- Ransomware deployment across critical business systems
- Data theft and intellectual property exfiltration
- Business email compromise schemes
- Supply chain attacks targeting connected partners
Financial and Regulatory Consequences
Australian businesses must consider the regulatory implications under the Notifiable Data Breaches scheme and potential penalties under the Privacy Act 1988. The financial impact of a significant breach can include incident response costs, regulatory fines, legal fees, and substantial reputational damage.
For organisations seeking to assess their current vulnerability to these attack vectors, our vulnerability management services provide comprehensive evaluation of communication platform security configurations.
How to Protect Your Organisation from EtherRAT Microsoft Teams Attacks
Defending against this threat requires a multi-layered approach combining technical controls, policy updates, and employee awareness training.
Technical Security Controls
Implement these critical technical measures immediately:
- Restrict external Teams communications — Configure Microsoft Teams to block or limit calls from external organisations
- Deploy endpoint detection and response (EDR) — Modern EDR solutions can detect EtherRAT installation attempts
- Enable application whitelisting — Prevent unauthorised software execution on corporate endpoints
- Implement network segmentation — Limit lateral movement opportunities for attackers
- Configure conditional access policies — Require additional verification for sensitive operations
Policy and Process Updates
Establish clear protocols for IT support interactions:
- Document and communicate official IT support procedures
- Implement callback verification for any remote support requests
- Create internal channels for reporting suspicious Teams calls
- Require ticket numbers before any remote access sessions
Security Awareness Training
Employees represent both the target and the first line of defence. Regular training should cover:
- Recognition of social engineering tactics
- Verification procedures for IT support requests
- Reporting mechanisms for suspicious communications
- Real-world examples of Teams-based attacks
Frequently Asked Questions
What is EtherRAT malware?
EtherRAT is a remote access trojan (RAT) that provides attackers with comprehensive control over infected systems. Once installed, it enables credential theft, file access, keylogging, and further malware deployment. In the current campaign, it’s being distributed through fake IT support calls on Microsoft Teams.
How can I verify if a Teams call is from legitimate IT support?
Always verify IT support requests through established channels. Contact your IT helpdesk directly using known contact information—not details provided by the caller. Legitimate IT support staff will have ticket numbers and can verify their identity through internal systems. Never install software based solely on a Teams call request.
Can Microsoft Teams external access be disabled completely?
Yes, Microsoft 365 administrators can configure Teams to block all external communications or restrict access to specific trusted domains. While this may impact legitimate collaboration needs, it significantly reduces the risk of impersonation attacks. Review your Microsoft Teams external access policies in the Teams admin centre.
Key Takeaways
- EtherRAT Microsoft Teams attacks exploit trusted communication platforms to bypass traditional security controls
- Attackers impersonate IT support staff to trick employees into installing malware
- Technical controls must be combined with policy updates and staff training
- Restricting external Teams communications significantly reduces attack surface
- Verification procedures for IT support requests are essential defensive measures
Conclusion
The emergence of EtherRAT Microsoft Teams attacks represents a significant evolution in social engineering tactics targeting Australian businesses. As threat actors continue exploiting trusted communication platforms, organisations must adapt their security strategies accordingly. The combination of technical controls, clear policies, and ongoing security awareness training provides the most effective defence against these sophisticated campaigns.
Don’t wait for an attack to expose vulnerabilities in your communication platform security. Speak with our security team today to assess your Microsoft Teams configuration and implement robust protections against emerging threats like EtherRAT.
