On July 6, 2026, cybersecurity researchers identified a new campaign that tricks Windows users through fake Microsoft Teams calls from an external "system administrator" to install a remote access trojan (RAT) dubbed EtherRAT. The multi-stage attack combines a convincing phishing email, social engineering via Teams, and a malicious Windows Installer package, ultimately granting attackers full control over compromised machines.
The multi-stage attack chain
According to the report, the attack begins with a seemingly routine phishing email impersonating a trusted service or internal department. The email contains a link or attachment that initiates a connection to an external Microsoft Teams account. Unlike typical phishing, this email is merely the setup—the real manipulation happens during a live, unsolicited Teams call.
Once the victim clicks, they receive a Microsoft Teams meeting invitation from an account labeled as “System Administrator” or a similar technical support role. Because Microsoft Teams often displays external users with an "[External]" tag, attackers rely on inattentional blindness or clever naming to bypass suspicion. The caller speaks with authority, claiming there is an urgent system issue that requires immediate remote assistance.
During the call, the attacker persuades the victim to download and run a Windows Installer (.msi) file—ostensibly a support tool but actually a dropper for the EtherRAT payload. The installer may be hosted on a lookalike domain or delivered directly through Teams file sharing. Once executed, it installs the RAT silently while also deploying legitimate remote monitoring and management (RMM) tools such as AnyDesk, TeamViewer, or other commonly abused utilities. These legitimate tools help the attacker maintain persistence and blend in with normal enterprise traffic, making detection more difficult.
What EtherRAT does once installed
EtherRAT is a full-featured remote access trojan that gives attackers control over the infected device. While specifics of this variant are still under analysis, such RATs typically enable:
- Live screen viewing and recording
- Keylogging to capture credentials and sensitive text
- File exfiltration—copying documents, databases, and emails
- Webcam and microphone activation
- Installation of additional malware or ransomware
- Lateral movement within networks to compromise more systems
The combination of a stealthy RAT and legitimate RMM tools is particularly dangerous. Even if security software flags EtherRAT, the attacker may retain access through the pre-installed legitimate remote access software, allowing them to re-infect or continue reconnaissance.
What this means for everyday Windows users
For the average home user or remote worker, this campaign underscores that attackers are exploiting trust in Microsoft Teams—a platform many users consider safe and internal. The key takeaways:
- Unsolicited Teams calls from external accounts are a major red flag. If you don’t know the caller or weren’t expecting the call, hang up immediately.
- Real IT support will never demand you install software under pressure. Legitimate admins use pre-approved support channels, not impromptu Teams meetings.
- The “External” label matters. Train yourself to notice it; though attackers can obscure names, the tag is your first line of defense.
- Be wary of .msi files. Unlike executable files, Windows Installer packages can sometimes bypass less strict email or browser filters.
What IT administrators need to know
For sysadmins, this campaign is a wake-up call to tighten Teams external access policies and user awareness. Key actions:
- Restrict external communications in Teams admin center. Set external access to “Allow only specific external domains” or block entirely if not needed. This prevents unknown external accounts from initiating calls or chats.
- Enable external user activity logging. Monitor for spikes in calls from external parties, especially those with suspiciously administrative-sounding display names.
- Deploy advanced phishing protection. Configure Microsoft Defender for Office 365 to scan shared files and block payloads like malicious .msi files.
- Educate users about this specific modus operandi. Regular security training should now include “unexpected Teams calls from external admins” as a core scam scenario.
- Flag or disable RMM tools. If your organization doesn’t use Remote Monitoring and Management software, block their installation via AppLocker or Windows Defender Application Control (WDAC).
Microsoft has acknowledged social engineering attacks via Teams in the past. While the company provides tools to mitigate external user risks, default settings still allow external users to call individuals unless actively locked down by an admin.
How we got here: The rise of social engineering via collaboration tools
The EtherRAT campaign is not an isolated incident—it’s the latest escalation in a trend that began in earnest in 2023.
In June 2023, researchers demonstrated a tool called “TeamsPhisher” that allowed attackers to send malware-laced attachments to Teams users from external tenants. That same year, a Midnight Blizzard attack (attributed to a nation-state group) compromised Microsoft corporate email accounts through Teams-based social engineering. In 2024, APT29 (Cozy Bear) targeted government agencies via fake Teams messages impersonating help desks.
By July 2025, Microsoft introduced enhanced security defaults for Teams, including mandatory external tagging and additional friction before accepting external messages. However, determined attackers have adapted—moving from text-based phishing to real-time voice calls, which feel more authentic and are harder for both users and automated filters to flag.
The EtherRAT campaign’s use of a live caller is a natural progression. Voice interaction lowers the victim’s guard, and the urgency of a “system administrator” demanding immediate action bypasses rational caution.
Immediate steps to protect yourself and your organization
For individual users:
1. Hang up and verify. If you receive an unsolicited Teams call from someone claiming to be IT, end the call. Contact your actual support team through an official channel (ticket system, direct phone line).
2. Never run unknown installers. If you are asked to download any file during a cold call, refuse. IT departments push software through managed deployment, not ad-hoc file shares.
3. Report the incident. In Teams, you can report an external user as phishing by clicking “…” on the chat or call and selecting “Report a concern.”
For IT and security teams:
1. Review external access policies under Teams Admin Center > Users > External access. Set to “Allow only specific external domains” and list only trusted partners.
2. Train help desk staff to recognize that attackers may impersonate them; ensure they never ask for password resets or software installs via unsolicited Teams calls.
3. Deploy endpoint detection and response (EDR) rules that alert on anomalous parental-legal RMM tool usage — especially if the tool isn’t part of your approved software catalog.
4. Regularly test your environment with simulated phishing exercises that include fake Teams calls; measure and improve user response rates.
5. Apply the principle of least privilege to user accounts; a RAT is far less dangerous if the compromised user doesn’t have local admin rights.
The road ahead: Will Microsoft tighten Teams security?
The EtherRAT campaign exposes a gap between platform capabilities and user assumptions. While Teams provides external tagging and admin controls, the defaults are permissive, and social engineering has proven adept at bypassing the friction added over the last two years.
Microsoft will likely face increased pressure to enable more aggressive external communication blocks by default, especially for tenants that don’t regularly collaborate with external parties. Features like voice call interception, where an AI could flag a caller claiming to be internal staff, may be on the roadmap—but they introduce privacy and trust concerns.
For now, the most effective defense is a combination of technical restrictions and user education. As remote and hybrid work cement collaboration platforms as critical business infrastructure, expect more campaigns like EtherRAT that exploit the inherent trust users place in these tools.