Cyberattacks aren’t just coming through email anymore. In July 2025, hackers used Microsoft Teams calls to impersonate IT support, trick employees into granting remote access, and install Matanbuchus 3.0 — a stealthy malware loader that can deliver ransomware, spyware, or other dangerous payloads.
This wasn’t a problem with Microsoft itself; it was a sophisticated form of VISHING (Voice Phishing). Attackers are now exploiting the trust people place in phone calls and collaboration platforms, just as they’ve done for years with phishing emails.
What Is Matanbuchus 3.0?
Matanbuchus is a malware loader. It doesn’t steal data directly; it sneaks in and sets the stage for bigger attacks. Once active, it can download ransomware, establish command-and-control channels, or quietly steal sensitive information. The 3.0 version is especially dangerous because it’s now spreading through collaboration platforms, where most organizations assume they’re safe (like Teams calls or shared drives).
How the Attack Happened
According to TechRadar’s coverage, attackers posed as IT support during Teams calls. They convinced employees to use Microsoft Quick Assist, then silently installed Matanbuchus 3.0. From there, the malware was ready to deliver whatever payload the attackers wanted, from ransomware to data theft.
This worked because it bypassed traditional defenses. No suspicious email. No sketchy attachment. Just a phone call through a trusted collaboration tool — the perfect setup for VISHING.
Why This Matters
The danger lies in assumed trust. Employees are conditioned to trust Teams call or a request from “IT”. But this incident proves attackers don’t need email anymore. Whether it’s a phone call, a Teams message, or a file share, anything can be turned against you. You must always be careful with both email and now phone calls from people you THINK you can trust.
This is the evolution of phishing: VISHING. The attackers sound credible, use familiar tools, and pressure employees to act quickly; the same tactics as email phishing, just through a different channel.
What Organizations Can Do
Defending against vishing and related attacks requires expanding the way we think about the “attack surface”:
- Extend protection to collaboration tools. Enable Microsoft 365 security features like Safe Links and Safe Attachments in Teams and SharePoint.
- Use strong authentication. Multi-factor authentication should be enforced everywhere, limiting the damage if credentials are compromised.
- Train employees for vishing. Staff must be coached to question unexpected IT requests, Quick Assist prompts, or suspicious phone calls — even if they appear to come through trusted platforms.
- Expand monitoring. Security teams should extend visibility into Teams, SharePoint, and other collaboration apps with tools like Defender for Office 365.
Don’t Wait Until It’s Too Late
The Matanbuchus 3.0 attack proves that the most trusted tools in your environment are now prime targets. If your defenses stop at email, you’re already behind.
At BW Cyber, we help organizations close these gaps, from configuring Microsoft 365 protections, to monitoring collaboration apps, to preparing response plans for attacks like this one. Because attackers aren’t waiting in your inbox anymore. They call you.
Michael Brice
President
BW Cyber, LLC
