Skip to main content
List Directory
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Menu
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Microsoft Teams Phishing: A0Backdoor Malware Targets Finance & Healthcare

Microsoft Teams Phishing: A0Backdoor Malware Targets Finance & Healthcare

March 10, 2026 Sarah Wu - Tech Editor Tech and Science

Microsoft Teams is increasingly becoming a target for phishing attacks, with a recent campaign leveraging the platform to deliver a new piece of malware dubbed A0Backdoor. The attacks, which have impacted organizations in the financial and healthcare sectors, rely on social engineering tactics to trick employees into granting remote access to attackers.

The campaign begins with a flood of spam directed at employees. Attackers then initiate contact via Microsoft Teams, posing as internal IT support offering assistance with the unwanted messages. This initial trust-building phase is crucial, as it sets the stage for the subsequent request for remote access. Victims are then guided to start a Quick Assist remote session, a legitimate Windows tool, which is exploited to deploy a malicious toolset. This toolset includes digitally signed MSI installers hosted on a personal Microsoft cloud storage account, adding a layer of legitimacy to the attack.

How the Malware Operates: DLL Sideloading and DNS Tunneling

Researchers at cybersecurity firm BlueVoyant have detailed the technical aspects of the attack. The malicious MSI files are designed to masquerade as legitimate Microsoft Teams components and the CrossDeviceService, a Windows tool used by the Phone Link app. Once executed, the attackers employ a technique called DLL sideloading, using legitimate Microsoft binaries to load a malicious library – hostfxr.dll – containing compressed or encrypted data.

As BlueVoyant explains in their analysis, the sideloaded library decrypts the data into shellcode and then transfers execution to it. To further evade detection, the library utilizes the CreateThread function, potentially causing debuggers to crash without significantly impacting normal execution. The shellcode then performs sandbox detection to determine if it’s being analyzed and generates a key based on SHA-256 to decrypt the A0Backdoor malware, which is encrypted using the AES algorithm.

Command line argument to install the malicious CrossDeviceService.exe
Source: BlueVoyant

The A0Backdoor malware then relocates itself within the system’s memory, decrypts its core routines, and begins collecting information about the compromised host. This includes details like the username and computer name, gathered through Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This information is used to fingerprint the system and tailor further malicious activity.

A particularly noteworthy aspect of A0Backdoor is its command-and-control (C2) communication method. Instead of relying on typical web-based protocols, the malware hides its communications within DNS traffic. Specifically, it sends DNS MX queries with encoded metadata embedded in high-entropy subdomains to public recursive resolvers. The responses to these queries, in the form of MX records, contain encoded command data for the malware to execute. This technique, as BlueVoyant points out, helps the traffic blend in with normal DNS activity and can bypass security controls focused on detecting TXT-based DNS tunneling.

Captured DNS communication
Captured DNS communication
Source: BlueVoyant

Targeted Sectors and Potential Attribution

So far, the campaign has been observed targeting a financial institution in Canada and a global healthcare organization. Whereas the attackers have been successful in compromising systems, the full extent of the damage remains unclear. BlueVoyant assesses, with moderate-to-high confidence, that this campaign represents an evolution of tactics, techniques, and procedures (TTPs) previously associated with the BlackBasta ransomware gang.

However, the researchers emphasize that while there are significant overlaps, the use of signed MSIs, malicious DLLs, the A0Backdoor payload, and the DNS MX-based C2 communication represent new elements not previously observed in BlackBasta operations. The BlackBasta group reportedly dissolved after internal chat logs were leaked, suggesting a possible splintering of the group or a re-organization of its operations.

Mitigation and What to Expect

Organizations should prioritize employee training on identifying and reporting phishing attempts, particularly those initiated through Microsoft Teams. Emphasize the importance of verifying requests for remote access, even if they appear to arrive from internal IT staff. Implementing multi-factor authentication (MFA) can add an extra layer of security, making it more difficult for attackers to gain access even if credentials are compromised.

Security teams should also review their DNS monitoring and filtering rules to detect and block malicious DNS traffic patterns, such as the use of high-entropy subdomains. Regularly patching systems and keeping antivirus software up-to-date are essential preventative measures. Given the use of signed MSIs, organizations should also consider implementing application control policies to restrict the execution of unsigned or untrusted software.

The evolution of tactics observed in this campaign highlights the ongoing need for vigilance and adaptation in the face of increasingly sophisticated cyber threats. The use of legitimate tools like Quick Assist and the obfuscation of C2 communication through DNS tunneling demonstrate the attackers’ ability to blend in with normal network activity. Continued research and information sharing within the cybersecurity community will be crucial in tracking and mitigating these evolving threats.

Recent Posts

  • Madison Keys vs. Hanne Vandewinkel Live: French Open 2026 TV Schedule and Streaming Guide
  • Our Strict Quality Control Process for Returned Clothing
  • German Business Sentiment Shows Slight Recovery in May According to Ifo Index
  • The 2-week supplement to avoid travel tummy trouble – plus blood clots worries – The Irish Sun
  • Ukraine Achieves Major Battlefield Successes as Russian Casualties Mount

Recent Comments

No comments to show.
List Directory

List-Directory is a comprehensive directory of businesses and services across the United States. Find what you need, when you need it.

Quick Links

  • Home
  • Privacy Policy
  • Terms of Service

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

Connect With Us

Official social links will appear here when available.

List-directory.com
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service