A0Backdoor Hits Finance and Healthcare via Teams Impersonation

A new malware campaign is weaponizing Microsoft Teams to deploy a previously undocumented backdoor called A0Backdoor against financial institutions and healthcare organizations. The attackers flood employee inboxes with spam, then pose as IT support on Teams to trick victims into granting remote access.

TL;DR

• What happened: Attackers impersonate corporate IT staff on Microsoft Teams to deploy A0Backdoor malware
• Who's affected: Employees at financial institutions and healthcare organizations globally
• Severity: High - enables persistent access and data exfiltration
• Action required: Block external Teams messages; train staff on IT impersonation tactics

The Two-Stage Social Engineering Attack

The campaign follows a refined playbook. First, attackers spam a target's inbox with high volumes of junk mail—enough to create genuine frustration and confusion. Then they contact the victim through Microsoft Teams, claiming to be from the company's IT department offering help with the email problem they just created.

BlueVoyant researchers, who documented the campaign, observed attackers using display names like "IT Support" and "Help Desk" to add credibility. Once trust is established, they instruct victims to launch Windows Quick Assist for remote troubleshooting.

Quick Assist is a legitimate Windows tool for remote support sessions. Unlike RDP or other remote access methods, it requires the user's active participation—making it an effective social engineering vector that bypasses many technical controls.

How A0Backdoor Gets Deployed

With Quick Assist access secured, attackers deploy malicious MSI installers hosted in personal Microsoft cloud storage accounts. The installers masquerade as legitimate Microsoft components, including fake Teams packages and the CrossDeviceService tool used by Windows Phone Link.

The infection chain uses DLL sideloading with signed Microsoft binaries. A malicious library named hostfxr.dll contains encrypted shellcode that decrypts in memory and transfers execution to the A0Backdoor payload.

This technique of abusing legitimate Microsoft binaries for malware loading has become increasingly common. We saw similar approaches in the MicroStealer infostealer campaign that leveraged Electron applications for delivery.

MX Records for Covert C2

A0Backdoor's most distinctive feature is its command-and-control mechanism. Rather than using commonly monitored DNS TXT records, the malware transmits encrypted data and receives commands through MX records—typically associated with email routing.

This unconventional approach helps evade detection systems that focus on suspicious TXT record queries. Security tools monitoring for DNS-based C2 often don't inspect MX record content for encoded payloads.

The C2 traffic blends with legitimate email infrastructure queries, making it difficult to distinguish malicious activity from normal network operations without deep packet inspection.

Links to BlackBasta Operations

BlueVoyant assesses with moderate-to-high confidence that the campaign represents an evolution of tactics associated with the now-disbanded BlackBasta ransomware gang. The techniques closely align with the threat cluster tracked as Blitz Brigantine, also known as Storm-1811.

BlackBasta's internal chat logs leaked in late 2025, leading to the group's dissolution. The current campaign suggests former operators have reorganized and refined their initial access techniques.

This pattern of ransomware gang rebranding and tactic evolution continues to challenge defenders. As we reported with the Interlock ransomware operation, threat actors regularly adapt their tooling while maintaining operational continuity.

Confirmed Targets

The campaign has successfully compromised at least two organizations:

• A financial institution based in Canada
• A global healthcare organization (name withheld)

The targeting suggests the operators are pursuing organizations with both valuable data and urgency around operational continuity—sectors where victims may be more likely to pay ransoms quickly.

Defending Against Teams-Based Attacks

Organizations should implement multiple defensive layers:

1. Restrict external Teams access - Configure tenant settings to block messages from unknown external domains
2. Disable Quick Assist - Remove or restrict the tool on endpoints where it's not required for legitimate support
3. Verify IT contacts out-of-band - Train employees to confirm IT requests through known phone numbers or in-person contact
4. Monitor for MSI sideloading - Alert on suspicious DLL loads by signed Microsoft binaries

The Goldman Sachs breach via law firm compromise demonstrated how third-party access channels create organizational risk. Teams federation settings represent a similar trust boundary that many organizations leave too permissive.

Indicators to Watch

Security teams should monitor for:

• High-volume spam preceding Teams contact from external users
• Quick Assist sessions initiated after Teams conversations
• MSI files downloaded from personal OneDrive/SharePoint locations
• Unusual MX record queries from non-mail systems
• hostfxr.dll loaded by processes that shouldn't require .NET hosting

Why This Matters

Microsoft Teams has become default communication infrastructure for many organizations, especially in hybrid work environments. Attackers understand that employees trust internal communication channels more than email—and that IT impersonation carries inherent authority.

The combination of manufactured problems (spam floods), trusted channels (Teams), and legitimate tools (Quick Assist) creates a social engineering chain that's difficult to defend against purely technical controls. User awareness training remains the critical countermeasure.

For organizations in targeted sectors, the appearance of former BlackBasta operators with refined techniques signals continued ransomware risk. Initial access through social engineering typically precedes data theft and extortion within days.