At 9:14 a.m., someone on the finance team got a Teams call from "IT Support."
Nothing about it looked wrong. The caller knew the company's name, referenced a recent password policy change, and asked for a few minutes to fix a "sync issue" on the employee's laptop. He suggested AnyDesk, a legitimate remote-access tool, the same one the real IT team used the month before. The employee let him in.
Within minutes, EtherRAT was installed. No exploit. No malicious attachment. Just a phone call and a tool everyone already trusted.
This is the campaign BleepingComputer reported on July 8: threat actors impersonating IT support over Microsoft Teams, using phishing emails to set up the call, legitimate remote-access software (RustDesk, AnyDesk) to get in, and a Node.js-based payload once they were inside. It's multi-stage, it's patient, and it doesn't trip a single technical control.
The moment this could have been stopped
There was no malicious link to hover over, no spoofed domain to spot. The decision point was entirely human: an employee decided a voice on a Teams call was who it claimed to be, and decided remote-access software was a normal ask.
That's a recognizable pattern: help desk impersonation, urgency, a plausible technical justification. But only if someone has actually seen this before. Most employees haven't. They’ve watched a generic training video about voice phishing, at best.
Why the static library missed it
Legacy security awareness training runs on a content calendar, not a threat feed. Modules get written, reviewed, and scheduled months in advance, then reused for a year or more. They cover suspicious links and password resets, the attacks of a few years ago, because that's what was in the library when it shipped.
Teams-based IT impersonation combined with legitimate remote-access tools is a 2026 problem. A library built on a 2023 threat model has nothing to say about it, and by the time a new module works its way through review and gets added to the rotation, the campaign it was written for has already moved on to the next pretext.
The gap isn't effort. It's speed. The threat updates in real time. Static training doesn't.
From headline to trained workforce, the same day
Frame closes that gap by generating training directly from the threat itself, not from a pre-built library. Here's what that looks like for an attack like this one.
1. Open the threat. The article shows up in Frame's Industry News feed the moment it breaks. A security team member clicks it, no rewriting, no summarizing required.

2. Pick a format. Training Module, Simulation, or Tip. Frame builds the first draft from the article itself: the actual mechanics of the Teams call, the remote-access tool, the malware. Not a generic "social engineering" placeholder.
3. Make it yours. Edit the subject line, audience, and details, add org-specific context, or upload your policies. The real remote-access tools your IT team actually uses, the language your help desk actually uses when they call.

4. Set the style. Choose a theme and tone, or keep the default, then click Create Module.

5. Generate in minutes. Frame produces the training or simulation in under five minutes, built around the organization it's going to, not pulled off a shelf.
6. Review the video. Edit it if needed. Most customers don't. 99% ship the generated content unchanged, because it was already built around their org and their target audience.
7. Launch. Send the campaign to the relevant teams, in this case finance, and anyone else with network access and standing help desk contact. The loop from headline to trained workforce closes the same day.

TL;DR
- Attackers impersonated IT support over Microsoft Teams, used legitimate remote-access tools, and dropped EtherRAT malware. No exploit, no suspicious link, just a convincing phone call.
- Static training libraries can't keep pace with a threat like this because they're built months ahead of the attacks they're supposed to cover.
- Frame turns the same-day headline into a training module or simulation, built around your organization, in under five minutes, so employees are trained on the attack hitting them today, not the one from last quarter's library refresh.
See Frame build a simulation or training around your own organization, live. Schedule a demo now.


