As collaboration equipment becomes increasingly important in modern workplaces, they are also emerging as a new entry point for cyberattacks. One such example is Microsoft Teams, a popular platform used by millions of companies worldwide. Recent security reports indicate that cybercriminals are exploiting Microsoft Teams voice call notifications to deliver malware, particularly a stealthy loader known as Matanbuchus.
This new malware distribution method marks a dangerous shift in attack techniques, moving beyond email and into real-time messaging systems. But how does it work, and what can be done to protect against it?
Table of Contents
What Is Matanbuchus Malware?
Matanbuchus is a malware loader, meaning it is not the final threat itself but a tool that allows more dangerous malware to infect a system. It is often used to deploy Cobalt Strike, ransomware, adware, and other advanced malicious payloads. First identified in 2021, Matanbuchus is distributed as part of a Malware-as-a-Service (MaaS) package on underground cybercrime forums, making it easily accessible to a wide range of attackers, both experienced and novice.
The malware is known for its evasive techniques, including encrypted communication with command-and-control (C2) servers and fileless execution, which make it difficult for traditional antivirus software to detect.
How Microsoft Teams Is Being Abused
Attackers are exploiting a clever tactic: fake Microsoft Teams voice call notifications. These appear authentic and mimic the familiar branding and layout of legitimate Teams messages, increasing the likelihood that recipients will trust them.
Here’s how the attack typically unfolds:
1. Spoofed Voice Call Notification
Victims receive a Microsoft Teams alert about a missed or incoming call. The message looks convincing and imitates genuine Teams notifications.
2. Click and Payload Delivery
The user clicks the embedded link, thinking it will lead to the Teams call. Instead, it redirects to a malicious website or automatically starts a malware download.
3. Matanbuchus Loader Activation
Once activated, the malware quietly installs itself and prepares the system to receive additional malicious tools, often creating backdoors for data theft, surveillance, or ransomware deployment.
This method bypasses traditional email-based security filters, as the malware is delivered through a less-monitored communication channel.
Why Is This Attack Effective?
Several reasons explain why this attack vector works so well:
- High Trust Environment
Microsoft Teams is a trusted business tool. Employees are more likely to open messages and follow links from it compared to emails from unknown sources.
- Lack of Monitoring
Many organizations have strong email security but overlook collaboration platforms like Teams, Slack, or Zoom.
- Remote Work Culture
With remote and hybrid work models becoming common, real-time communication apps are essential, giving attackers more opportunities to exploit them.
How to Protect Your Organization
Cybersecurity isn’t just about firewalls anymore; it’s about user awareness, layered security, and active monitoring. To avoid such threats:
- Security-conscious training
Educate employees on how to identify fake messages and phishing attempts in Teams. Regular training can significantly reduce the risk of accidental clicks.
- Enable Microsoft Defender for Office 365
This provides advanced security features for Microsoft Teams, SharePoint, and OneDrive, helping to detect and block malicious activity.
- Restrict external access to Teams.
Limit access to internal or trusted users only to reduce exposure.
- Monitor collaboration tools
Use endpoint detection and response (EDR) tools that can identify suspicious behavior within messaging apps.
- Apply Zero Trust principles.
Never assume that internal platforms are completely safe. Always verify identities, match behaviors, and monitor user actions.
Final thoughts
Microsoft Teams is being exploited to distribute Matanbuchus malware, serving as a strong reminder that no platform is immune to cyber threats. As attackers evolve, so should our defenses. Organizations should treat collaboration tools with security inspections comparable to their email systems. Staying aware of these new attack methods and acting swiftly to counter them can make all the difference in preventing costly breaches.
