A sophisticated phishing campaign is using Microsoft Teams voice calls and Windows Quick Assist to gain remote access and deploy Nimbus RAT, a Java-based trojan that leverages Google Drive for command and control. The campaign, first observed in April 2026, highlights how attackers are increasingly chaining trusted Microsoft tools and cloud services to bypass security defenses and compromise corporate networks.

The attack chain begins with an unsolicited Teams voice call (vishing) where the threat actor impersonates IT support or a partner organization. The caller claims there is an urgent security issue or account problem and persuades the victim to initiate a Quick Assist session—a legitimate Windows remote assistance tool designed for troubleshooting.

Once the Quick Assist connection is active, the attacker takes control of the victim’s desktop. They then navigate to a compromised SharePoint tenant and download a malicious Java Archive (JAR) file, named Nimbus RAT. After execution, the malware establishes persistence and starts communicating with its operators through Google Drive, using shared files and folders as a dead-drop command-and-control (C2) mechanism.

Attack Chain: Step by Step

Initial Contact via Teams Vishing

The campaign leverages Microsoft Teams’ external federation capabilities, which allow users from different organizations to chat and call. The attacker either compromises a legitimate Teams account or creates a new tenant with a seemingly trustworthy name. They then cold-call employees, often spoofing helpdesk or vendor identities, and use high-pressure social engineering to convince the target that an immediate remote support session is needed.

Because the call originates from within Teams—a platform employees trust—and the voice interaction adds a layer of authenticity, victims frequently comply. The attacker provides a Quick Assist security code, which the victim enters on their screen to allow remote access.

Quick Assist Remote Takeover

Windows Quick Assist, built into Windows 10 and 11, enables a helper to view or control another user’s PC. Neither side needs to install additional software, making it an ideal tool for legitimate support—and for attackers. The session provides full keyboard/mouse control, and the helper can see everything on the victim’s desktop, including any multi-factor authentication prompts that may pop up.

During the session, the attacker typically opens a PowerShell or Command Prompt window and enters commands to download the payload. They may navigate to a compromised SharePoint Online site that hosts the malicious JAR file. SharePoint is a common cloud storage platform in enterprises; its URLs are often allowed by proxy and firewall policies, and downloads from it are less likely to trigger security warnings.

Payload Delivery: Nimbus RAT

Nimbus RAT is written in Java, making it platform-agnostic. The JAR file is executed via a command like java -jar nimbus.jar. Because Java is widely used in business environments, the presence of a Java process is not inherently suspicious. Upon execution, Nimbus RAT performs several actions:
- Creates registry or scheduled task persistence.
- Drops a legitimate-looking decoy file to avoid suspicion.
- Contacts Google Drive using embedded OAuth2 credentials to authenticate and access a specific folder or file.

Command & Control via Google Drive

Once connected, the malware uses Google Drive as its C2 infrastructure. Instead of connecting to a traditional attacker-owned server, it reads from and writes to Google Drive files. The operators control the bot by uploading command files to a folder shared with the malware’s service account. The malware periodically checks for new commands, executes them, and uploads the results.

This technique benefits from:
- Blending with normal traffic: Organizations cannot simply block Google Drive without impacting business.
- Resilience: Harder to take down compared to static IP-based C2.
- Encryption: All traffic is HTTPS and routes through Google’s infrastructure, making TLS inspection less effective.

Commands can include:
- Download additional malware
- Upload stolen files (credential dumps, documents)
- Record keystrokes
- Take screenshots
- Execute shell commands
- Spread laterally via network shares

The Role of Compromised SharePoint

The use of a compromised SharePoint tenant adds an additional layer of trust and stealth. Attackers may have gained access to a legitimate organization’s SharePoint environment through previous phishing or credential theft. They then upload the malicious JAR file, perhaps disguised as a document or a utility. Because the SharePoint domain (e.g., *.sharepoint.com) is trusted, security tools may not inspect the file as thoroughly.

Moreover, when a file is downloaded from SharePoint via a Quick Assist session on the victim’s machine, it may not receive the “Mark of the Web,” a Windows security feature that warns about files from the internet. This allows the JAR file to run without triggering SmartScreen or other reputation checks.

Detection and Response

Identifying such attacks can be challenging because almost every component is a legitimate tool. However, organizations can look for:
- Unexpected Quick Assist sessions: Log Event ID 1000 under Applications and Services Logs\Microsoft\Windows\RemoteAssistance. Look for remote connections from unfamiliar domains.
- Java processes spawned by Quick Assist or browser: Unusual command lines containing java -jar from user temp directories.
- Network connections to Google Drive API endpoints (api.google.com or content.googleapis.com) originating from non-browser processes, especially java.exe.
- SharePoint download events from users who do not typically access an external SharePoint tenant.
- Teams call logs showing inbound external communication patterns.

Preventive measures:
- Restrict or disable Quick Assist via Group Policy or Intune if it is not needed.
- Apply strict inbound Teams federation policies, limiting external communications to known partners.
- Use endpoint detection and response (EDR) solutions to monitor for Java execution with suspicious parameters.
- Educate employees: IT departments will never initiate an unsolicited Quick Assist session; always verify via an alternate channel.
- Implement Conditional Access: require compliant devices and multi-factor authentication for Teams access, and block sign-ins from high-risk users.

Broader Implications

This campaign underscores a growing trend: attackers are “living off the land” by exploiting built-in operating system tools and popular cloud services. By using voice phishing, they add a human layer that many security awareness programs aren’t prepared for. The April 2026 timing suggests that as more people return to hybrid work, the attack surface for such social engineering has expanded.

Security researchers anticipate that copycat groups will adopt similar tactics, combining Teams, Zoom, or Slack phishing with remote access tools like Quick Assist, TeamViewer, or AnyDesk. The use of cloud C2—Google Drive, OneDrive, Dropbox—will continue to grow because it evades perimeter defenses designed for outgoing connections to unknown IPs.

Organizations must evolve their defense strategies to monitor not just malicious binaries, but also anomalous usage patterns of legitimate applications. Behavioral analytics, zero-trust architectures, and micro-segmentation can help limit the damage once an attacker gains a foothold.

Conclusion

The Nimbus RAT campaign is a textbook example of modern multi-stage attacks that weaponize trust. Starting with a compelling voice call over Teams, moving through a legitimate remote support tool, and finally deploying a stealthy Java backdoor that hides in Google Drive, it demonstrates how far threat actors will go to evade detection. As we move deeper into 2026, we can expect similar innovation, making it imperative for defenders to adapt their tooling and training to match these increasingly sophisticated threats.