CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware

Cybersecurity News Archived Jun 04, 2026 ✓ Full text saved

Hackers are increasingly abusing trusted enterprise platforms such as Microsoft Teams and Google Drive to deploy stealthy remote access malware, with a newly observed campaign leveraging social engineering and cloud-based command-and-control to evade detection. In early April 2026, eSentire’s Threat Response Unit (TRU) identified a targeted intrusion against a legal sector organization in which attackers […] The post Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malwar

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware By Abinaya June 4, 2026 Hackers are increasingly abusing trusted enterprise platforms such as Microsoft Teams and Google Drive to deploy stealthy remote access malware, with a newly observed campaign leveraging social engineering and cloud-based command-and-control to evade detection. In early April 2026, eSentire’s Threat Response Unit (TRU) identified a targeted intrusion against a legal sector organization in which attackers used Microsoft Teams voice phishing to trick a user into granting remote access via Windows Quick Assist. Within minutes, the threat actor delivered a Java-based remote access trojan known as Nimbus RAT, completing the compromise in under 20 minutes. Nimbus RAT Attack Flow Diagram(source : esentire) The attack followed a structured, repeatable kill chain, highlighting the growing operational maturity of these campaigns. It began with an email bombing phase, where the victim’s inbox was flooded with over 280 legitimate subscription emails in a short window. This created confusion and urgency, setting the stage for a fake IT helpdesk contact on Microsoft Teams.  Email Bombing Volume Chart – April 6, 2026(source : esentire) Posing as internal support staff, the attacker convinced the user to launch Quick Assist and follow step-by-step instructions delivered via a Pastebin link. The final payload was retrieved from a compromised Microsoft 365 tenant hosted on SharePoint, further reinforcing the illusion of legitimacy. The downloaded archive contained a malicious Java archive, bundled with an OpenJDK runtime, allowing execution on any Windows system regardless of installed dependencies. Once executed, Nimbus RAT established persistence and initiated encrypted communications with its command-and-control infrastructure. Hackers Abuse Teams, Drive for Malware A defining feature of Nimbus RAT is its use of Google Drive and Google Sheets as C2 channels. Teams Sender Infrastructure Breakdown (source : esentire) Instead of traditional malicious infrastructure, the malware communicates with legitimate Google APIs, making network-level detection extremely difficult. Commands are fetched from attacker-controlled Google Drive files, and exfiltrated data is uploaded in the same way. This design ensures that traffic blends seamlessly with normal enterprise cloud activity.  Quick Assist Launch and Initial Recon using cmd (source : esentire) Static analysis reveals that Nimbus RAT is a modular and highly capable implant. It supports arbitrary command execution, file system manipulation, registry access, screenshot capture, and in-memory execution of second-stage payloads. Notably, it includes dual credential-harvesting mechanisms: a fake Windows Security prompt and direct API invocation via CredUIPromptForCredentialsW. Nimbus RAT C2 Architecture Diagram(source : esentire) Both techniques are designed to capture multiple password attempts to improve success rates. eSentire’s Threat Response Unit (TRU) telemetry indicates this is not an isolated incident. eSentire Threat Response Unit said in a report shared with Cybersecurity News that researchers observed 1,540 suspicious Microsoft Teams interactions across 172 organizations over 12 months, with a sharp rise between December 2025 and March 2026. Nearly 65 percent of these attacks originated from throwaway Microsoft 365 tenants using onmicrosoft.com domains, often impersonating IT support or helpdesk personnel. Infrastructure analysis shows consistent attacker patterns, including rapid domain registration. top TLDs, reuse of hosting provider IP ranges, and large-scale tenant creation for campaign scalability. In some cases, compromised legitimate tenants were also used, increasing the credibility of phishing attempts and reducing user suspicion. The broader implication is a shift toward abusing trusted SaaS ecosystems at every stage of the attack lifecycle. Microsoft Teams is used for initial access, SharePoint for payload delivery, Pastebin for instruction staging, Quick Assist for remote control, and Google Drive for command-and-control. Full Kill Chain Timeline (source : esentire) Because these platforms are widely used and cannot be easily blocked, defenders must rely on behavioral detection and cross-layer visibility. Security teams are advised to monitor for unusual mailbox activity such as sudden spikes in inbound email volume, which often precede vishing attempts. Endpoint telemetry remains critical, particularly in identifying suspicious execution of javaw.exe from non-standard directories and correlating it with outbound connections to Google APIs. This campaign underscores how threat actors are blending social engineering with legitimate cloud services to bypass traditional defenses. As enterprises rely more on SaaS platforms, the need for context-aware detection strategies that focus on user behavior, process activity, and identity signals, rather than domain-based blocking alone, grows. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes Latest News Cyber Security Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System Cyber Security News Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code Android CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks Cyber Security News Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials Cyber Security News Acer Working to Patch Wave 7 Router 0-day Vulnerability
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗