A recent campaign shows that attackers no longer need to exploit software vulnerabilities to enter corporate networks: it is enough to deceive people. Researchers from the BlueVoyant firm have described how malicious operators communicate by Microsoft Teams with employees of financial and health organizations to gain their confidence and get remote access through the Quick Assist tool, then deploying a new malware they have baptized as A0Backdoor. You can read the full report of analysts on BlueVoyant's blog Here..
The initial vector is pure social engineering: before sending the message by Teams, the attackers saturate the victim's inbox with garbage mails so that the subsequent shipment seems legitimate and urgent. Then they pose as internal support personnel to offer help with the problem of unwanted messages and ask the person to start a quick assist session. Quick Assist is an integrated Windows tool designed for remote assistance; Microsoft offers guidance on its use and risks in its support center official.
Once the attacker gets the remote session, he introduces a chain of malicious tools that include MSI installers that appear to be legitimate Teams and CrossDeviceService components (a component related to the Phone Link app). The worrying thing is that these installers were digitally signed and housed in a Microsoft cloud storage personal account, which helps to bypass basic detection controls.
The persistence and execution technique described by researchers mixes social engineering with abuses of valid system mechanisms. The installers use a technique known as DLL sideloading in which a legitimate executable carries a malicious bookstore placed with the same name expected by that binary. MITRE documents this type of abuse as a frequent form of "sequestration of the execution flow" in its ATT & CK matrix. In this case, the malicious bookstore - identified as hostfxr.dll by analysts - contains compressed or encrypted data that are decrypt in memory to become shellcode, and then delegate the execution to that malicious code.
To make the analysis difficult, the malicious code creates numerous threads with CreateThread, a maneuver that can cause debugging or consuming resources during dynamic analysis, although it does not seem to affect the normal functioning of the system. The shellcode performs checks to detect laboratory environments or sandbox, and calculates a key derived from SHA-256 that it uses to decipher the core of the A0Backdoor, which is protected with AES. The malware is relocated in memory, decouples its essential routines and starts collecting host information through calls to Windows APIs such as DeviceIoControl, GetUserNameExW and GetComputerNameW to build a committed computer footprint.
Another sophisticated component is the way the backdoor communicates with its command center: it uses MX-type DNS consultations to public resolution, placing coded metadata in high entropy subdomains. Mail servers return MX records containing encoded commands; malware extracts and decodes the label more left of the returned name to recover instructions or settings. This use of MX records helps traffic to mix with legitimate activity and can avoid detections that are more oriented to TXT-based DNS tunnel techniques. If you want to better understand how the DNS becomes an exfiltration channel or control and control, Cloudflare has divulging material about DNS tunneling techniques.
BlueVoyant indicates that the confirmed objectives include a financial institution in Canada and a global health organization. The researchers value with a moderate-high confidence that the campaign shares elements with the tactics, techniques and procedures that were related to the group behind the BlackBasta Ransomware, an actor that had been shown after the leak of its internal chats. However, the firm stresses that there are new developments in this attack: the use of signed MSI installers, malicious bookstores loaded by legitimate binaries and the A0Backdoor itself with its C2 channel by MX records are developments over previous campaigns.
What practical lessons does this leave for companies and users? First, that the attack surface now includes collaborative channels such as Teams and remote assistance utilities; therefore, staff training must incorporate real scenarios where the attacker calls or writes by posing as a support. At the technical level, it is appropriate to restrict the use of Quick Assist or to require additional verification before starting remote sessions, to implement policies that prevent the installation of MSI packages that are not approved by the IT department, and to strengthen the registration and inspection of DNS traffic to detect consultations with high entropy subdomains or unusual patterns in MX records.
Endpoint Detection & Response (EDR) solutions and modern threat protection platforms can help to identify DLL sideloading patterns, code execution directly in memory and system fingerprinting behaviors. It is also important that security teams correlate anomalous incoming mail peaks with subsequent contacts by Teams or other internal messaging platforms, because that "spam pattern first, then support supplanting" is a campaign signature.
For individual users the recommendation is simple and direct: don't accept remote control if you don't trust the interlocutor and you can't verify his identity by an independent channel. If someone claims to be IT, hang up and call the official number of your department; do not follow instructions received by opportunistic messages. And if you detect anything suspicious, report it immediately so that security teams can respond and contain possible intrusion.
If you want to go into technical research, BlueVoyant's report is the most complete reference available Here., while resources such as MITRE's ATT & CK matrix explain the abuse of DLL sideloading and Microsoft documentation about Quick Assist details how the tool works. Understanding these separate pieces helps to see the full picture: the attackers combine social engineering with advanced technical techniques, and the defense must respond with training, technical controls and specialized monitoring.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...