Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

Summary

Attackers are abusing external Microsoft Teams collaboration to impersonate IT support staff and trick users into granting remote access via Quick Assist. Once inside, they leverage legitimate tools like WinRM and Rclone to move laterally, access domain controllers, and stage sensitive data for exfiltration while blending into routine IT activity. Microsoft Defender detects this attack chain across identity, endpoint, and collaboration telemetry.

Full text

Share Link copied to clipboard! Content types Research Products and services Microsoft Defender Topics Actionable threat insightsDefending against advanced tactics Threat actors are initiating cross-tenant Microsoft Teams communications while impersonating IT or helpdesk personnel to socially engineer users into granting remote desktop access. After access is established through Quick Assist or similar remote support tools, attackers often execute trusted vendor-signed applications alongside attacker-supplied modules to enable malicious code execution. This access pathway might be used to perform credential-backed lateral movement using native administrative protocols such as Windows Remote Management (WinRM), allowing threat actors to pivot toward high-value assets including domain controllers. In observed intrusions, follow-on commercial remote management software and data transfer utilities such as Rclone were used to expand access across the enterprise environment and stage business-relevant information for transfer to external cloud storage. This intrusion chain relies heavily on legitimate applications and administrative protocols, allowing threat actors to blend into expected enterprise activity during multiple intrusion phases. Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access. From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle. Microsoft Defender provides correlated visibility across identity, endpoint, and collaboration telemetry to help detect and disrupt this user‑initiated access pathway before it escalates into broader compromise. Risk to enterprise environments By abusing enterprise collaboration workflows instead of traditional email‑based phishing channels, attackers may initiate contact through applications such as Microsoft Teams in a way that appears consistent with routine IT support interactions. While Teams includes built‑in security features such as external‑sender labeling and Accept/Block prompts, this attack chain relies on convincing users to bypass those warnings and voluntarily grant remote access through legitimate support tools. In observed intrusions, risk is introduced not by external messaging alone, but when a user approves follow‑on actions — such as launching a remote assistance session — that result in interactive system access. An approved external Teams interaction might enable threat actors to: Establish credential-backed interactive system access Deploy trusted applications to execute attacker-controlled code Pivot toward identity and domain infrastructure using WinRM Deploy commercially available remote management tooling Stage sensitive business-relevant data for transfer to external cloud infrastructure In the campaign, lateral movement and follow-on tooling installation occurred shortly after initial access, increasing the risk of enterprise-wide persistence and targeted data exfiltration. As each environment is different and with potential handoff to different threat actors, stages might differ if not outright bypassed. Figure 1: Attack chain. Attack chain overview Stage 1: Initial contact via Teams (T1566.003 Spearphishing via Service) The intrusion begins with abuse of external collaboration features in Microsoft Teams, where an attacker operating from a separate tenant initiates contact while impersonating internal support personnel as a means to social engineer the user. Because interaction occurs within an enterprise collaboration platform rather than through traditional email‑based phishing vectors, it might bypass initial user skepticism associated with unsolicited external communication. Security features protecting Teams users are detailed here, for reference. It’s important to note that this attack relies on users willfully ignoring or overlooking security notices and other protection features. The lure varies and might include “Microsoft Security Update”, “Spam Filter Update”, “Account Verification” but the objective is constant: convince the user to ignore warnings and external contact flags, launch a remote management session, and accept elevation. Voice phishing (vishing) is sometimes layered to increase trust or compliance if they don’t replace the messaging altogether. Timing matters. We regularly see a “ChatCreated” event to indicate a first contact situation, followed by suspicious chats or vishing, remote management, and other events t that commonly produce alerts to include mailbombing or URL click alerts. All of these can be correlated by account and chat thread information in your Defender hunting environment. Teams security warnings: External Accept/Block screens provide notice to users about First Contact events, which prompt the user to inspect the sender’s identity before accepting: Figure 2: External Accept/Block screens. Higher confidence warnings alert the user of spam or phishing attempts on first contact: Figure 3: spam or phishing alert. External warnings notify users that they are communicating with a tenant/organization other than their own and should be treated with scrutiny: Figure 4: External warnings. Message warnings alert the user on the risk in clicking the URL: Figure 5: URL click warning. Safe Links for time-of-click protection warns users when URLs from Teams chat messages are malicious: Figure 6: time-of-click protection warning. Zero-hour Auto Purge (ZAP) can remove messages that were flagged as malicious after they have been sent: Figure 7: Removed malicious from ZAP. It’s important to note that the attacker often does not send the URL over a Teams message. Instead, they will navigate to it while on the endpoint during a remote management session. Therefore, the best security is user education on understanding the importance of not ignoring external flags for new helpdesk contacts. See “User education” in the “Defend, harden, and educate (Controls to deploy now)” section for further advice. Stage 2: Remote assistance foothold With user consent obtained through social engineering, the attacker gains interactive control of the device using remote support tools such as Quick Assist. This access typically results in the launch of QuickAssist.exe, followed by the display of standard Windows elevation prompts through Consent.exe as the attacker is guided through approval steps. Figure 8: Quick Assist Key Logs. From the user’s perspective, the attacker convinces them to open Quick Assist, enter a short key, the follow all prompts and approvals to grant access. Figure 9 – Quick Assist Launch. This step is often completed in under a minute. The urgency and interactivity are the signal: a remote‑assist process tree followed immediately by “cmd.exe” or PowerShell on the same desktop. Stage 3: Interactive reconnaissance and access validation Immediately after establishing control through Quick Assist, the attacker typically spends the first 30–120 seconds assessing their level of access and understanding the compromised environment. This is often reflected by a brief surge of cmd.exe activity, used to verify user context and privilege levels, gather basic system information such as host identity and operating system details, and confirm domain affiliation. In parallel, the attacker might query registry values to determine OS build and edition, while also performing quick network reconnaissance to evaluate connectivity, reachability, and potential opportunities for lateral movement. Figure 10: Enumeration. On systems with limited privileges—such as kiosks, VDI, or non-corp-joined devices—actors might pause without deploying payloads, leaving only brief reconnaissance activity. They often return later when access improves or pivot to other

Indicators of Compromise

• malware — Rclone

Entities