Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware

Hackers are increasingly abusing trusted enterprise platforms such as Microsoft Teams and Google Drive to deploy stealthy remote access malware, with a newly observed campaign leveraging social engineering and cloud-based command-and-control to evade detection.

In early April 2026, eSentire’s Threat Response Unit (TRU) identified a targeted intrusion against a legal sector organization in which attackers used Microsoft Teams voice phishing to trick a user into granting remote access via Windows Quick Assist.

Within minutes, the threat actor delivered a Java-based remote access trojan known as Nimbus RAT, completing the compromise in under 20 minutes.

Nimbus RAT Attack Flow Diagram(source : esentire)

The attack followed a structured, repeatable kill chain, highlighting the growing operational maturity of these campaigns.

It began with an email bombing phase, where the victim’s inbox was flooded with over 280 legitimate subscription emails in a short window.

This created confusion and urgency, setting the stage for a fake IT helpdesk contact on Microsoft Teams.

Email Bombing Volume Chart - April 6, 2026(source : esentire) — *Email Bombing Volume Chart – April 6, 2026*(source : esentire)

Posing as internal support staff, the attacker convinced the user to launch Quick Assist and follow step-by-step instructions delivered via a Pastebin link.

The final payload was retrieved from a compromised Microsoft 365 tenant hosted on SharePoint, further reinforcing the illusion of legitimacy.

The downloaded archive contained a malicious Java archive, bundled with an OpenJDK runtime, allowing execution on any Windows system regardless of installed dependencies.

Once executed, Nimbus RAT established persistence and initiated encrypted communications with its command-and-control infrastructure.

Hackers Abuse Teams, Drive for Malware

A defining feature of Nimbus RAT is its use of Google Drive and Google Sheets as C2 channels.

Teams Sender Infrastructure Breakdown (source : esentire)

Instead of traditional malicious infrastructure, the malware communicates with legitimate Google APIs, making network-level detection extremely difficult.

Commands are fetched from attacker-controlled Google Drive files, and exfiltrated data is uploaded in the same way. This design ensures that traffic blends seamlessly with normal enterprise cloud activity.

Quick Assist Launch and Initial Recon using cmd (source : esentire — *Quick Assist Launch and Initial Recon using cmd* (source : esentire)

Static analysis reveals that Nimbus RAT is a modular and highly capable implant. It supports arbitrary command execution, file system manipulation, registry access, screenshot capture, and in-memory execution of second-stage payloads.

Notably, it includes dual credential-harvesting mechanisms: a fake Windows Security prompt and direct API invocation via CredUIPromptForCredentialsW.

Nimbus RAT C2 Architecture Diagram(source : esentire)

Both techniques are designed to capture multiple password attempts to improve success rates. eSentire’s Threat Response Unit (TRU) telemetry indicates this is not an isolated incident.

eSentire Threat Response Unit said in a report shared with Cybersecurity News that researchers observed 1,540 suspicious Microsoft Teams interactions across 172 organizations over 12 months, with a sharp rise between December 2025 and March 2026.

Nearly 65 percent of these attacks originated from throwaway Microsoft 365 tenants using onmicrosoft.com domains, often impersonating IT support or helpdesk personnel.

Infrastructure analysis shows consistent attacker patterns, including rapid domain registration. top TLDs, reuse of hosting provider IP ranges, and large-scale tenant creation for campaign scalability.

In some cases, compromised legitimate tenants were also used, increasing the credibility of phishing attempts and reducing user suspicion.

The broader implication is a shift toward abusing trusted SaaS ecosystems at every stage of the attack lifecycle.

Microsoft Teams is used for initial access, SharePoint for payload delivery, Pastebin for instruction staging, Quick Assist for remote control, and Google Drive for command-and-control.

Full Kill Chain Timeline (source : esentire)

Because these platforms are widely used and cannot be easily blocked, defenders must rely on behavioral detection and cross-layer visibility.

Security teams are advised to monitor for unusual mailbox activity such as sudden spikes in inbound email volume, which often precede vishing attempts.

Endpoint telemetry remains critical, particularly in identifying suspicious execution of javaw.exe from non-standard directories and correlating it with outbound connections to Google APIs.

This campaign underscores how threat actors are blending social engineering with legitimate cloud services to bypass traditional defenses.

As enterprises rely more on SaaS platforms, the need for context-aware detection strategies that focus on user behavior, process activity, and identity signals, rather than domain-based blocking alone, grows.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.