Teams and Google Drive Leveraged to Compromise Systems Within 20 Minutes

eSentire observed a fast-moving campaign where attackers used email bombing and Microsoft Teams voice-phishing to socially engineer a user into granting remote control via Windows Quick Assist, then deployed a Java-based Nimbus RAT from a compromised Microsoft 365 tenant. Nimbus RAT uses legitimate cloud services (SharePoint for delivery and Google Drive/Sheets as C2) and includes credential-harvesting and modular remote-access capabilities, enabling stealthy, cross-tenant campaigns that are difficult to detect via traditional domain- or signature-based defenses.