Threat Analysis: Microsoft Teams Helpdesk Scams, Multi-Stage Phishing RATs, and the UK Cyber Pledge Nobody Asked About

Threats & Attacks

Threat Analysis: Microsoft Teams Helpdesk Scams, Multi-Stage Phishing RATs, and the UK Cyber Pledge Nobody Asked About

Hello, Mauven here.

This is your Daily Threat Analysis for the 7th of July 2026.

Three things worth your attention today. Two are active threats with direct relevance to UK SMBs. One is a piece of UK government news that looks positive until you read the small print.


The Teams Helpdesk Scam: When the Attack Vector Is Your Own Politeness

Unit 42 published research today documenting a campaign in which attackers impersonate IT helpdesk staff on Microsoft Teams, persuade employees to grant remote desktop access, and use that access to deploy a trojan called EtherRAT.

Let me be precise about what this attack does and does not require. It does not require an unpatched vulnerability. It does not require the victim to click a link in an email or open a malicious attachment. It requires a staff member to receive a Teams message from what appears to be the IT department, be told there is a problem with their account or device, and agree to let someone have a look.

That is it. That is the whole technical requirement.

Once remote access is granted, EtherRAT is deployed. Remote access trojans of this type give the attacker persistent, covert control of the compromised machine, keylogging, credential harvesting, lateral movement capability, and the ability to deploy further payloads including ransomware.

The reason this works in UK organisations, and it does work, which is why threat actors keep using variants of this technique, is that Microsoft Teams has, in many businesses, become the default channel for internal IT support. Staff are accustomed to receiving helpdesk messages via Teams. They are often not trained to verify that the person messaging them is actually from their IT team, and in smaller organisations there may be no formal process for doing so.

If your IT provider tells you this does not affect you because you have Teams configured securely, ask them specifically whether external organisations can initiate chats with your staff. The default Teams configuration in many tenants permits exactly that, and attackers exploit it by creating tenants with names like “IT Support” or variants of your company name.

What to do:

  • Review your Microsoft Teams external access settings. Unless there is a specific business reason to allow external organisations to message your staff, restrict or disable it.
  • If you use an MSP or external IT provider that does legitimately contact staff via Teams, establish a verification process, a shared codeword, a callback to a known number, or a policy that remote access is only granted after a call to a verified number.
  • Train staff explicitly: IT support does not cold-initiate contact asking for remote access without prior arrangement. If it happens unexpectedly, treat it as suspicious until verified.
  • Review what remote access tools are installed on your endpoints. EtherRAT aside, many of these campaigns also use legitimate remote access software, AnyDesk, TeamViewer, Quick Assist, as the initial access vehicle before deploying malware.

Multi-Stage Phishing: When the Malware Is Hiding Inside a Picture

SpiderLabs published detailed research today on a global phishing campaign delivering AsyncRAT and Remcos, two well-established remote access trojans, through what is described as a multi-stage infection chain that is specifically designed to evade detection.

The entry point is a malicious Excel attachment delivered via phishing email. If the victim enables macros, the real work begins: the chain progresses through HTA scripts, PowerShell commands, encoded payloads, and, here is the part worth paying attention to, steganography embedded in PNG image files.

Steganography is the practice of hiding data inside other data. In this context, the malicious payload is concealed within what appears to be a legitimate image file. Most signature-based antivirus tools are looking for known malicious file patterns. A PNG file containing hidden encoded data does not match those patterns. The execution is largely fileless, meaning much of it happens in memory rather than being written to disk where it could be detected.

This is not a sophisticated nation-state technique. It is a technique that has been packaged and deployed at scale against ordinary business targets, specifically business functions, according to the research, meaning finance, HR, procurement, the people most likely to receive invoices, purchase orders, and supplier communications.

The NCSC published guidance on macro security in Office documents years ago. The fact we are still having this conversation tells you everything about how seriously organisations take it.

What to do:

  • Block macro execution in Microsoft Office by default via Group Policy or, if you are in Microsoft 365, via Intune. This is not a difficult configuration change. It is documented. There is no reasonable operational justification for most UK SMBs to allow macros in files received from external sources.
  • Ensure your endpoint protection uses behavioural detection, not just signature matching. If your IT provider cannot tell you which detection method your tools use, that is the question to ask today.
  • If you are using email filtering, verify it is scanning for HTA file execution patterns and suspicious PowerShell invocations in macro-enabled documents.
  • Treat any unexpected Excel attachment requesting macro enablement as hostile, regardless of how plausible the accompanying email looks.

The UK Cyber Pledge: Sixty Signatories, One Obvious Question

The UK government launched a voluntary cyber pledge today. Sixty organisations have signed it, committing to a set of cyber hygiene behaviours. The ambition is reasonable. Voluntary commitments to improve baseline security across large organisations are worth something, provided they are backed by genuine internal change programmes rather than PR activity.

Two names on the signatory list are worth noting.

Marks & Spencer is a signatory. M&S is, at time of writing, still managing the recovery from a significant cyber incident that disrupted online orders and affected operations across the business for weeks.

Capita is also a signatory. Capita’s 2023 breach affected data held on behalf of numerous public sector clients and organisations across the UK. The ICO issued enforcement action. The incident had downstream consequences for hundreds of organisations that contracted with Capita across the public and private sectors.

I am not suggesting either organisation should be excluded from making commitments to better security. Quite the opposite. But a voluntary pledge signed after a major incident is a different thing to a voluntary pledge signed before one. And if your organisation contracts with large suppliers, as many UK SMBs do, a supplier’s signature on a voluntary pledge does not substitute for a contractual security requirement or a meaningful supplier risk assessment.

Voluntary pledges are not controls. They are statements of intent. There is a meaningful difference.


Also Worth Noting: UAT-7810 ORB Networks

Cisco Talos published research today on UAT-7810, a threat actor building what are called Operational Relay Box (ORB) networks using custom malware. ORB networks use compromised infrastructure, often legitimate devices, as relay points to obscure the origin of attack traffic and make attribution harder.

This is not a direct SMB threat in the sense of immediate targeting, but it is relevant context. Compromised small business infrastructure, routers, NAS devices, poorly secured servers, is regularly incorporated into ORB networks. Your devices may be used as relay nodes in attacks against other targets without your knowledge. This is one of the reasons that keeping edge devices patched and not exposed with default credentials is not optional.


What the NCSC Published Today

The NCSC published a blog post today on Cyber Shield, described as an initiative to develop national-scale, sovereign AI-driven cyber defence capability. The framing is agentic AI, automated systems that can detect and respond to threats at speed and scale beyond what human analysts can manage.

This is genuinely interesting work at a national level, and I say that without qualification. The gap between the volume of threats and the number of people available to analyse them is real and growing.

What it does not address, and is not designed to address, is the operational reality facing a 40-person professional services firm in Leeds or a 15-person construction company in Bristol today, with a phishing email in their inbox. National-scale sovereign AI capability is a multi-year infrastructure project. The Microsoft Teams impersonation campaign is happening now.

Both things can be true simultaneously. The national programme is worth building. And the immediate practical steps remain the immediate practical steps.


Today’s Actions, in Order of Priority

  1. Teams external access, check it, restrict it if there is no business need for external parties to message your staff directly.
  2. Office macro policy, if macros are not blocked by default in your environment, they should be. This week, not next quarter.
  3. Staff awareness, specifically on the helpdesk impersonation vector. One internal message explaining that IT support will not cold-contact asking for remote access without prior arrangement takes ten minutes to write and could prevent a significant incident.
  4. Endpoint protection review, ask your IT provider or MSP whether your endpoint tools use behavioural detection. If the answer is uncertain, that is your answer.
  5. Supplier contracts, if you have significant suppliers, check whether your contracts include security requirements. A voluntary pledge is not the same thing.

Sources

SourceTitleURL
Palo Alto Unit 42 / The RegisterFake IT bods on Microsoft Teams coax workers into installing malwarehttps://www.theregister.com/cyber-crime/2026/07/07/fake-it-bods-on-microsoft-teams-coax-workers-into-installing-malware/5267610
LevelBlue / SpiderLabsAsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaignhttps://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign
The RegisterGovernment’s cyber pledge lands 60 signatories, including M&S and, somehow, Capitahttps://www.theregister.com/security/2026/07/07/governments-cyber-pledge-lands-60-signatories-including-ms-and-somehow-capita/5267554
Cisco TalosUAT-7810 continues building ORB networks using new malwarehttps://blog.talosintelligence.com/uat-7810/
NCSCCyber Shield: The path to an agentic AI future for cyber defencehttps://www.ncsc.gov.uk/blogs/cyber-shield-the-path-to-an-agentic-ai-future-for-cyber-defence

If this briefing is useful to you, follow the show wherever you listen so tomorrow’s lands automatically. And if there is someone in your organisation, or a peer who runs their own business, who needs the heads-up on what is actually happening out there, pass it along. The gap between what the press covers and what operationally matters to a small UK business is real. That is what this is here to close.

Filed under

  • smb-security
  • social-engineering
  • credential-theft
  • remote-access
  • business-risk
  • incident-response
  • uk-business