Cyber attackers are increasingly exploiting established business platforms like Microsoft Teams and Google Drive to deploy sophisticated remote access malware. A recent campaign demonstrates the use of social engineering and cloud-based command-and-control tactics to avoid detection.
Recent Attack on Legal Sector
In April 2026, eSentire’s Threat Response Unit detected an attack targeting a legal organization. Hackers used Microsoft Teams for voice phishing, tricking users into granting remote access via Windows Quick Assist. The attackers quickly introduced a Java-based remote access trojan called Nimbus RAT, completing the compromise in less than 20 minutes.
The intrusion followed a structured kill chain, indicating the advanced operational capability of such campaigns. It began with a tactic known as email bombing, inundating the victim’s inbox with over 280 legitimate emails, creating a sense of urgency and confusion. This was followed by the attacker posing as IT support on Microsoft Teams, leading the victim through steps to launch Quick Assist.
Malware Delivery and Execution
The final malicious payload was hosted within a compromised Microsoft 365 tenant on SharePoint, lending an air of legitimacy to the operation. The downloaded files included a harmful Java archive and OpenJDK runtime, enabling execution on any Windows system without additional dependencies. Once activated, Nimbus RAT maintained persistence and established encrypted communications with its command-and-control servers.
Uniquely, Nimbus RAT utilizes Google Drive and Google Sheets as its C2 channels, leveraging legitimate Google APIs to mask its network activity. This approach makes detection at the network level challenging, as commands and data are exchanged through these common cloud services.
Broader Implications and Defense Strategies
eSentire’s telemetry reports that this is not an isolated incident, having observed numerous suspicious Microsoft Teams interactions across various organizations in the past year. A significant number of these attacks were initiated from temporary Microsoft 365 tenants, often impersonating IT personnel.
This trend highlights a growing reliance on trusted SaaS platforms throughout attack lifecycles. Attackers use Teams for initial access, SharePoint for payload delivery, Pastebin for instruction staging, Quick Assist for remote control, and Google Drive for command-and-control operations.
Given the widespread use of these platforms, cybersecurity defenses must evolve to focus on behavioral detection and comprehensive visibility across different layers. Monitoring for unusual email activity and non-standard process executions can provide critical indicators of potential threats.
This campaign emphasizes the need for context-aware security strategies that prioritize user behavior and identity signals over traditional domain-based blocking. As reliance on SaaS platforms increases, adapting to these sophisticated threat tactics becomes imperative for enterprises.
