Mandiant: Fake Teams Help Desk Deploys Info-Stealing Malware

Executive Summary

Mandiant researchers have identified an active social engineering campaign in which attackers impersonate Microsoft Teams help desk personnel to trick corporate employees into installing malware that steals credentials and session tokens. The campaign, detailed in a report published April 27, 2026, relies on phone calls and Teams messages to direct victims to fake support portals that deliver remote access trojans (RATs). Mandiant has observed the operation targeting organizations in the technology and financial services sectors across North America and Europe.

Technical Analysis

The attack chain begins with a phone call or Teams message from an individual claiming to be a Microsoft support technician. The attacker informs the target of a fabricated issue with their Teams account — such as a license expiration or security alert — and offers to assist. The victim is then directed to a URL that mimics a legitimate Microsoft support portal. According to Mandiant, the landing page prompts the user to download a remote management tool disguised as a diagnostic utility. Once executed, the payload establishes persistent access, exfiltrates browser-stored credentials, and captures session tokens for Microsoft 365 and other cloud services.

Mandiant noted that the attackers use publicly available information — including employee names, titles, and organizational structures — to personalize the lures and build credibility. The infrastructure includes domains registered days before the attack, often using TLS certificates that mimic Microsoft's certificate authority. The researchers stated that the campaign shows moderate operational security, with some C2 servers taken offline within 48 hours of first contact.

Mitigations & Recommendations

Mandiant recommends that organizations implement strict verification procedures for any unsolicited IT support contact, including callback to a known internal number. Defenders should also enforce multifactor authentication (MFA) resistant to token theft — such as FIDO2 security keys — and monitor for unusual remote access tool installations. User awareness training should specifically cover help desk impersonation scenarios, as traditional phishing training often omits voice and chat-based lures.