Strengthening corporate cybersecurity against new phishing campaigns on collaborative platforms

Initial reports on a cyberattack campaign targeting organizations in the financial and healthcare sectors, in which attackers exploited widely used corporate tools such as Microsoft Teams to carry out malicious activities. Early investigations revealed an unusual pattern of intrusions that employed sophisticated social engineering methods. In the days that followed, various specialized media outlets and incident response organizations began publishing technical analyses and alerts, which helped assess the scope of the threat. This timeline spans March 15–24, 2026, and marks the start of public disclosure of a campaign that had likely been active for weeks prior.

The report focuses on an attack method that combines email flooding, known as email bombing, with impersonation of technical support staff via Microsoft Teams, allowing attackers to gain victims’ trust. Once contact is established, cybercriminals trick users into using legitimate remote access tools such as Quick Assist, which allows them to easily take control of the affected devices. After gaining access, the A0Backdoor malware is deployed, which allows for persistence, information exfiltration, and potentially prepares the environment for more destructive attacks, such as ransomware. Most of the affected organizations operate in sectors with highly sensitive data, which amplifies the incident’s impact. In response, various CSIRTs and government agencies have issued recommendations such as restricting remote access, strengthening authentication, and improving network traffic monitoring, particularly regarding techniques like DNS tunneling.

The incident is currently in the containment and analysis phase, with multiple cybersecurity entities and public agencies monitoring the campaign’s progress and sharing indicators of compromise. Although the malicious activity has not been completely halted, there has been an increase in awareness and the implementation of preventive measures among organizations that are potentially vulnerable.