Threat actors are impersonating IT support personnel on Microsoft Teams to trick users into granting remote access, enabling lateral movement, credential theft, and sensitive data exfiltration.

Key Points

• Attackers initiate contact from external tenants, bypassing traditional email-based phishing filters by leveraging legitimate Microsoft Teams collaboration workflows.
• Victims are socially engineered into launching remote support tools like Quick Assist, granting attackers interactive control over their workstations.
• Once inside, threat actors use DLL side-loading with trusted, vendor-signed applications to execute malicious code while avoiding detection.
• Attackers perform lateral movement toward high-value assets, such as domain controllers, using native Windows Remote Management (WinRM) protocols.
• Staged data is exfiltrated to external cloud storage using common utilities like Rclone to blend into standard enterprise network traffic.

Why it Matters

This attack vector exploits human trust in IT support workflows rather than technical vulnerabilities, making it difficult to detect through traditional security perimeters. By abusing legitimate administrative tools, adversaries can maintain persistent access and compromise sensitive infrastructure while appearing to perform routine maintenance.