A new multi-stage vishing campaign has been uncovered that uses Microsoft Teams calls and the QuickAssist tool to deliver fileless .NET malware.

The attack begins when the victim receives a Teams call from a threat actor impersonating a senior IT staff member via a spoofed display name.

Using social engineering, the attacker persuades the user to launch QuickAssist, thereby granting remote access to the device under the guise of a legitimate support request.

Within approximately ten minutes of the session, the victim is redirected to a fake verification page hosted at ciscocyber[.]com/verify.php, which delivers a malicious file named “updater.exe” disguised as a harmless software updater...