Microsoft is warning enterprises about a growing attack pattern where threat actors impersonate IT helpdesk staff via external Microsoft Teams chats to trick employees into granting remote access. The nine-stage attack chain involves convincing targets to start a Quick Assist session, followed by reconnaissance using Command Prompt and PowerShell, DLL side-loading through trusted signed applications, C2 communication over HTTPS, lateral movement via WinRM, and targeted data exfiltration using Rclone to external cloud storage. Microsoft recommends treating external Teams contacts as untrusted, restricting remote assistance tools, and limiting WinRM usage.
Sort: