Prevent undetectable malware and 0-day exploits with AppGuard!

Ransomware Gang Uses Fake Microsoft Teams Ads To Infect Victims

Tony Chiappetta
by Tony Chiappetta
November 09, 2025

Cyber criminals continue to evolve their methods, and their latest tactic targets everyday business software users. According to a recent report from The Register, the Rhysida ransomware gang has launched a malicious advertising campaign, posing as official Microsoft Teams download links on search engines.

Source article: The Register, "Ransomware gang runs ads for Microsoft Teams to pwn victims", October 31, 2025
https://www.theregister.com/2025/10/31/rhysida_abuses_fake_teams_ads/

When users search for Microsoft Teams, they may see what looks like a legitimate ad at the top of the search results. Clicking on that ad sends them to a fake Microsoft download page. Once there, victims unknowingly download a malware loader known as OysterLoader, also referred to as Broomstick or CleanUpLoader.

This loader is digitally signed and packed to bypass antivirus and traditional detection tools. Once it runs, it can drop ransomware, steal credentials and grant remote access to attackers. By the time security software recognizes unusual activity, it may already be too late.

This campaign shows how threat actors are weaponizing advertising channels, trusted digital certificates and believable user experiences. The fake Teams page looks real. The file appears legitimate. The malware loads quietly. Detection engines struggle because the attack uses trusted certificates and does not behave suspiciously until after initial execution.

Traditional detection focused security tools often do not fail because they never see the threat. They fail because they see it too late.

Why Detect and Respond Is No Longer Enough

For years, cybersecurity has leaned on a detect and respond model. Tools look for suspicious actions or known signatures, then attempt to stop malicious behavior once it has already begun.

But attacks like this Microsoft Teams malvertising campaign expose the weakness of that strategy. If malware can execute before being detected, it can:

  • Install persistence

  • Escalate privileges

  • Move laterally

  • Encrypt data

  • Exfiltrate sensitive information

By the time a response triggers, the business impact has already occurred. Detect and respond is fundamentally reactive. Modern adversaries are bypassing detection faster, quieter and more convincingly.

Businesses need a stronger baseline: stop the execution path, not just chase alerts.

Isolation and Containment: A Needed Shift

Instead of trying to spot and stop malicious activity after it begins, a better strategy is to prevent untrusted code from doing anything harmful at all.

This is where isolation and containment changes the game. Rather than identifying malware, isolation prevents unknown processes from interacting with protected system components or spreading.

If an untrusted process does launch, it is contained immediately. It cannot move, inject, escalate or harm the system. The malicious loader simply fails to execute its mission.

This prevents damage without needing to recognize the threat first.

Why AppGuard is the Solution

AppGuard is built on isolation and containment principles. It does not depend on signatures or detection logic. It blocks malicious behavior at the kernel level before it can act.

Benefits include:

  • Prevents execution paths used by ransomware and loaders

  • Stops unknown and zero day malware

  • Contains untrusted processes instantly

  • Works alongside existing security tools

  • Proven stable and effective for more than 10 years in government and defense environments

  • Now available commercially for businesses of all sizes

If a user clicked on the fake Teams ad in this Rhysida attack scenario, AppGuard would have blocked the untrusted installer and contained it instantly. The malware would never gain a foothold.

This is the level of protection modern businesses require.

What Business Leaders Should Do Now

  1. Review your current security approach

  2. Determine if your environment relies primarily on detect and respond tools

  3. Implement isolation and containment to reduce risk

  4. Layer AppGuard to immediately harden endpoints

  5. Train users, but assume human error will happen and build controls that neutralize it

Attackers are getting smarter, faster and more deceptive. Your defenses must evolve too.

Final Thoughts and Call to Action

The fake Microsoft Teams ad campaign used by Rhysida is a clear example of cyber criminals outsmarting traditional defensive systems. They do not need to break through firewalls or trick phishing filters when they can buy a convincing search ad and sign their code.

Detection alone is no longer enough. Businesses must embrace isolation and containment to prevent attacks before they execute.

AppGuard delivers exactly that. It has more than ten years of proven success in the most demanding security environments and is now accessible to commercial businesses.

If you are a business owner or IT leader, talk with us at CHIPS about how AppGuard can prevent attacks like this and protect your organization. It is time to move from detect and respond to isolation and containment. We can help you get there.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
November 9, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.