Microsoft Teams, Quick Assist weaponized in helpdesk spoofing intrusions

Threat actors have been exploiting Microsoft Teams and Quick Assist to remotely compromise systems as part of a new helpdesk impersonation campaign, Cyber Security News reports.

Attacks commence with the distribution of an unsolicited Teams message purportedly from an internal IT support staff that lures targeted employees into disregarding built-in external contact alerts and permitting a Microsoft Quick Assist-based remote assistance session, according to Microsoft Defender Security Research analysts. Approving the session allows total control of the targeted device within a minute, with threat actors then executing reconnaissance commands for user privilege checking, host detail gathering, and network connectivity evaluation before launching a staged payload that leverages DLL side-loading for illicit code execution via trusted apps.

Attackers were also observed to have harnessed Windows Remote Management to compromise domain controllers and other high-value targets, as well as leveraged the Rclone tool for sensitive business data exfiltration. Curtailing exposure from such an attack requires the implementation of Quick Assist and remote management tool restrictions, activating Attack Surface Reduction rules and Windows Defender Application Control, and strengthening employee training.