Microsoft issues warning over Teams helpdesk impersonation attacks – hackers are 'blending into routine IT support activity' by abusing remote assistance access

News
By published

Crooks are impersonating IT and reaching out via Teams

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Microsoft warns Teams users of scammers abusing cross‑tenant chat feature
  • Attackers impersonate IT staff, trick victims into granting remote access via Quick Assist
  • Once inside, they use trusted tools to move laterally, install Rclone, and exfiltrate sensitive company data

Microsoft has warned Teams users about fraudsters using the platform to access their corporate networks, deploy malicious code, and steal sensitive data.

In a new in-depth security advisory published last weekend, Microsoft said it spotted scammers using the cross-tennant feature to initiate a chat even though they are not part of the victim’s organization.

They impersonate IT or help desk staff, and try to convince their victims to grant them remote access to their computers using legitimate tools like Quick Assist.

Article continues below

Not triggering alarms

Quick Assist is a built-in Windows remote desktop management app that allows users to provide or receive remote technical support.

Once they get access, the scammers would run legitimate, trusted programs but modify them to execute malicious code. From there, they move through the company’s network using built-in tools like Windows Remote Management to reach important systems, such as domain controllers.

“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle,” the company said.

Microsoft also said it observed the attackers installing common remote management tools and programs like Rclone, to collect and upload company data to cloud storage.

This technique apparently works well because it relies on real tools and normal IT processes. The victims aren’t seeing any red flags, and actual IT and help desk teams are not being alerted to any extraordinary or suspicious activity. Instead of phishing emails, attackers use Teams messages, which can look like legitimate internal communication.

While Teams does show warnings when someone from outside the company tries to make contact, it seems that the victims ignored the warnings and still agreed to give access. After getting in, attackers can quickly spread across the network, install more tools, and gather sensitive data. The exact steps may vary, but the goal is usually to maintain access and steal valuable information.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.