Fake Zoom and Teams meeting use stolen certificates to deliver malware

Attackers are abusing compromised code signing certificates and fake software updates to install remote access tools inside corporate networks.

What happened

A phishing campaign identified by the Microsoft Defender Security Research Team is spreading malware through fake meeting invitations for Zoom and Microsoft Teams that redirect victims to fraudulent software update websites. According to reporting from Hackread, attackers used compromised digital certificates issued to TrustConnect Software PTY LTD to sign malicious files so that operating systems treat them as legitimate software. The campaign, which began around February 2026, tricks users with fake update prompts for applications such as Zoom, Microsoft Teams, and Adobe Reader. Victims who click links in phishing emails or blurred document attachments are taken to websites that imitate official download pages and are urged to install a “required” update, however the downloaded files, often named like real programs such as msteams.exe or adobereader.exe, instead install malware that allows attackers to maintain ongoing access to corporate systems.

Going deeper

The campaign uses multiple techniques to maintain access after the initial infection. Attackers use stolen Extended Validation (EV) certificates, which are trusted digital signatures normally used to verify legitimate software, allowing the malicious files to avoid many security warnings. Once executed, the files act as loaders that install remote management tools such as ScreenConnect and MeshAgent. These tools are commonly used by IT teams for remote support. In this case, they were abused to create persistent backdoors that allow attackers to keep remote access even if part of the malware is removed. Additional encoded PowerShell commands quietly download more tools, enabling attackers to move through the network, steal login credentials, or deploy ransomware after gaining control.

What was said

A senior authority discussed the risks of certificate abuse in comments published by Hackread on March 4, 2026. He explained that when software carries a valid code signing certificate and the certificate chain is verified, meaning the signature traces back to trusted certificate authorities, the file is typically treated as legitimate. However, he warned that attackers increasingly steal signing keys or compromise software build pipelines, allowing malicious code to appear properly signed. He said, “If the code signing signature is verified and the certificate chain checked out, the software or document is assumed to be trustworthy. That assumption no longer holds in a world where attackers routinely steal signing keys and compromise build pipelines,” He added that a valid signature still indicates where software originated however should not be treated as proof that it is safe, noting that “security teams must treat it as a single data point within a broader behavioral profile.”

In the know

In related activity, a surge in phishing campaigns is targeting corporate employees using fake meeting invitations that impersonate popular video platforms such as Zoom, Microsoft Teams, and Google Meet. According to CyberPress, the emails urge recipients to join urgent meetings and direct them to convincing phishing pages designed to mimic real conferencing interfaces with fake participant lists that appear to update live. When users attempt to join, they are told their application is outdated and must install an update, which downloads a file from lookalike domains such as zoom-meet.us disguised as legitimate meeting software. Attackers have also abused real Microsoft Teams guest invitations to send fake billing alerts from legitimate notification emails, prompting victims to call attacker-controlled phone numbers and shifting the attack into voice phishing, a tactic that can bypass traditional email security controls.

The big picture

The activity points to growing security risks linked to widely used collaboration platforms such as Zoom, Microsoft Teams, and Google Meet, which have become core workplace communication tools. Research from Metrigy, cited by TechTarget, found that 41% of organizations rely on multiple meeting platforms, increasing daily collaboration activity, while a report referenced by Forbes noted that large enterprises generate hundreds of millions of collaboration messages each year, creating constant streams of trusted meeting invitations and notifications. Analysts say attackers are disguising access requests as routine meeting updates instead of sending traditional malware, a tactic supported by findings from Paubox showing that misconfigurations and trusted communication platforms can enable breaches, placing greater pressure on organizations to verify identities, train users, and monitor remote access activity rather than relying only on file-based threat detection.

FAQs

What is a code signing certificate?

A code signing certificate is a digital signature used to verify the publisher of software and confirm that the code has not been altered since it was signed.

Why are attackers stealing certificates?

Stolen certificates allow malicious files to appear trustworthy to operating systems and security tools, reducing warnings and increasing the likelihood that users will execute them.

What are Remote Monitoring and Management tools?

Remote Monitoring and Management tools are legitimate administrative programs that allow IT teams to access and manage systems remotely, however attackers can misuse them to maintain hidden access inside networks.

Why are fake meeting invitations effective phishing lures?

Meeting invitations appear routine in many workplaces and often prompt users to open links quickly, making them an effective social engineering tactic.

How can organizations reduce the risk from this type of attack?

Organizations can monitor for unusual software installations, restrict execution of unsigned or newly signed binaries, verify update sources, and deploy behavioral detection tools that identify suspicious remote access activity.