Hackers Abuse Microsoft Teams & Google Drive for RAM

Hackers are exploiting trusted enterprise platforms like Microsoft Teams and Google Drive to deploy stealthy remote access malware. A newly observed campaign leverages social engineering and cloud-based command-and-control to evade detection.

In early April 2026, eSentire’s Threat Response Unit (TRU) identified a targeted intrusion against a legal sector organization in which attackers used Microsoft Teams voice phishing to trick a user into granting remote access via Windows Quick Assist.

Within minutes, the threat actor delivered a Java-based remote access trojan known as Nimbus RAT, completing the compromise in under 20 minutes.

The attack followed a structured, repeatable kill chain, highlighting the growing operational maturity of these campaigns.

It began with an email bombing phase, where the victim’s inbox was flooded with over 280 legitimate subscription emails in a short window.

This created confusion and urgency, setting the stage for a fake IT helpdesk contact on Microsoft Teams.

Posing as internal support staff, the attacker convinced the user to launch Quick Assist and follow step-by-step instructions delivered via a Pastebin link.

The final payload was retrieved from a compromised Microsoft 365 tenant hosted on SharePoint, further reinforcing the illusion of legitimacy.

The downloaded archive contained a malicious Java archive, bundled with an OpenJDK runtime, allowing execution on any Windows system regardless of installed dependencies.

Once executed, Nimbus RAT established persistence and initiated encrypted communications with its command-and-control infrastructure.

Hackers Abuse Teams, Drive for Malware

A defining feature of Nimbus RAT is its use of Google Drive and Google Sheets as C2 channels.

Instead of traditional malicious infrastructure, the malware communicates with legitimate Google APIs, making network-level detection extremely difficult.

Commands are fetched from attacker-controlled Google Drive files, and exfiltrated data is uploaded in the same way. This design ensures that traffic blends seamlessly with normal enterprise cloud activity.

Static analysis reveals that Nimbus RAT is a modular and highly capable implant. It supports arbitrary command execution, file system manipulation, registry access, screenshot capture, and in-memory execution of second-stage payloads.

Notably, it includes dual credential-harvesting mechanisms: a fake Windows Security prompt and direct API invocation via CredUIPromptForCredentialsW.

Both techniques are designed to capture multiple password attempts to improve success rates. eSentire’s Threat Response Unit (TRU) telemetry indicates this is not an isolated incident.

eSentire Threat Response Unit said in a report shared with Cybersecurity News that researchers observed 1,540 suspicious Microsoft Teams interactions across 172 organizations over 12 months, with a sharp rise between December 2025 and March 2026.

Nearly 65 percent of these attacks originated from throwaway Microsoft 365 tenants using onmicrosoft.com domains, often impersonating IT support or helpdesk personnel.

Infrastructure analysis shows consistent attacker patterns, including rapid domain registration. top TLDs, reuse of hosting provider IP ranges, and large-scale tenant creation for campaign scalability.

In some cases, compromised legitimate tenants were also used, increasing the credibility of phishing attempts and reducing user suspicion.

The broader implication is a shift toward abusing trusted SaaS ecosystems at every stage of the attack lifecycle.

Microsoft Teams is used for initial access, SharePoint for payload delivery, Pastebin for instruction staging, Quick Assist for remote control, and Google Drive for command-and-control.

Because these platforms are widely used and cannot be easily blocked, defenders must rely on behavioral detection and cross-layer visibility.

Security teams are advised to monitor for unusual mailbox activity such as sudden spikes in inbound email volume, which often precede vishing attempts.

Endpoint telemetry remains critical, particularly in identifying suspicious execution of javaw.exe from non-standard directories and correlating it with outbound connections to Google APIs.

This campaign underscores how threat actors are blending social engineering with legitimate cloud services to bypass traditional defenses.

As enterprises rely more on SaaS platforms, the need for context-aware detection strategies that focus on user behavior, process activity, and identity signals, rather than domain-based blocking alone, grows.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.