Netcrook Logo
👤 LOGICFALCON
🗓️ 06 Apr 2026   🌍 Asia

Deception at the Door: North Korean Hackers Masquerade as Microsoft Teams in New Attack Wave

Cybercriminals are leveraging fake Microsoft Teams domains and cunning social engineering to breach business defenses worldwide.

When an urgent Teams meeting request pings your inbox, would you pause before clicking? For hundreds of professionals across the globe, that hesitation could mean the difference between safety and a silent cyber intrusion. In a sophisticated new campaign, North Korean hackers have donned the digital mask of Microsoft Teams, luring unsuspecting victims into a web of deception that blends seamlessly into everyday business communications.

The campaign, attributed to the financially motivated UNC1069 group, marks a chilling evolution in the art of social engineering. Rather than blasting out generic phishing emails, these attackers are weaving themselves into the fabric of professional life - reviving old LinkedIn or Telegram chats, sending polished partnership proposals, and even scheduling meetings through legitimate services like Calendly. Each step is calculated to disarm suspicion.

At the heart of the operation is the malicious domain onlivemeet[.]com, a near-perfect clone of Microsoft Teams. Victims are ushered to convincing meeting pages where they’re confronted with an urgent message: the “TeamsFx SDK” is deprecated and needs immediate updating. The offered download, however, carries a Remote Access Trojan, granting hackers a backdoor into the victim’s system. From there, the attackers can steal sensitive data, monitor activity, or launch further attacks - all under the radar.

What makes this campaign particularly insidious is its exploitation of trust. By infiltrating familiar communication channels and leveraging widely used collaboration tools, UNC1069 dramatically increases the odds of success. Even tech-savvy professionals can be fooled by the seamless blending of real and fake digital environments.

Security researchers warn that traditional defenses may not catch these attacks, as the threat actors rely on multiple “trusted” touchpoints. Their advice: scrutinize every link, especially those behind chat apps or meeting invitations; verify unexpected meeting requests through a secondary channel; and treat any software update prompt with skepticism unless it comes directly from a known vendor platform.

As cybercriminals continue to refine their methods, the battle for digital trust grows ever more complex. In this new era, vigilance is not just for IT departments, but for every professional navigating the interconnected world of remote work. The next Teams invite you receive could be more than just another meeting - it could be a hacker at your virtual doorstep.

WIKICROOK

  • Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
  • Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Domain Spoofing: Domain spoofing is when attackers create fake websites or emails that closely resemble real ones to deceive users and steal sensitive information.
  • Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
North Korean hackers Microsoft Teams social engineering
LOGICFALCON LOGICFALCON
Log Intelligence Investigator
← Back to news