A sophisticated new cyberattack campaign is exploiting legitimate Microsoft collaboration tools, specifically Microsoft Teams and Quick Assist, to impersonate IT helpdesk personnel. Threat actors are leveraging these familiar platforms to trick employees into granting unauthorized remote access to their computer systems, bypassing traditional security measures.
This concerning trend highlights a growing sophistication in social engineering tactics, where attackers weaponize everyday business applications to gain entry into corporate networks. The deceptive nature of this attack chain lies in its ability to blend seamlessly into routine IT support interactions, making it exceptionally difficult for employees to detect and report.
The attack begins when a malicious actor, operating from a compromised or separate Microsoft tenant, initiates a direct message conversation with a target employee via Microsoft Teams. Posing as an IT support representative, the attacker attempts to build trust and convince the employee to bypass built-in security warnings concerning external contacts. The ultimate goal is to persuade the unsuspecting user to initiate a remote assistance session using Microsoft Quick Assist.
According to Microsoft Defender Security Research analysts, once the Quick Assist session is approved, the attacker gains full interactive control of the victim’s device in a matter of seconds. This rapid infiltration allows attackers to proceed with their malicious objectives before any alerts can be raised or traditional security defenses can properly analyze the situation.
This new attack chain is particularly effective because it relies entirely on manipulated human interaction rather than exploiting software vulnerabilities. Researchers emphasize that without proper event correlation across identity, endpoint, and collaboration telemetry, observing this attack progression becomes exceedingly challenging, as it closely mimics legitimate IT support activities.
How Attackers Abuse Microsoft Teams and Quick Assist for Infiltration
Once remote access is secured through Quick Assist, attackers act swiftly. Within one to two minutes of gaining control, they execute rapid reconnaissance commands to assess the user’s privileges, gather hostname details, and determine network connectivity. If the compromised user possesses sufficient access levels, the attacker deploys staged payloads into system directories, such as ProgramData.
A key technique employed is DLL side-loading, where malicious code is executed through trusted, digitally signed applications. Attackers exploit the way Windows searches for and loads dynamic-link libraries (DLLs) by placing their own malicious DLLs in specific, search-accessible paths. This allows trusted applications like AcroServicesUpdater2_x64.exe, ADNotificationManager.exe, or DlpUserAgent.exe to unknowingly load and execute attacker-supplied modules from non-standard locations, masking malicious activity as legitimate operations.
The implications of this attack are significant. The compromised systems are then used to pivot towards high-value targets like domain controllers through Windows Remote Management (WinRM). Furthermore, attackers utilize file-synchronization tools like Rclone to exfiltrate sensitive business documents to external cloud storage, posing a direct threat to data confidentiality and regulatory compliance.
The Mechanics of DLL Side-Loading and Persistent Control
The core technique of DLL side-loading is central to the attackers’ ability to maintain persistence and execute code stealthily. When a legitimate application launches, Windows searches for required DLL files in a predefined order of locations. Attackers exploit this by placing their malicious DLLs in the same directories where the application expects to find them. Consequently, the trusted application inadvertently loads and runs the attacker’s malicious code.
In this specific campaign, sideloaded modules are designed to decrypt hidden configuration data stored within the Windows registry. This method avoids writing suspicious files to disk, making detection even more difficult. This approach is consistent with advanced intrusion frameworks that utilize registry-backed storage to maintain encrypted command-and-control (C2) configurations even after system reboots or attempted remediation.
Since this malicious activity is executed within the context of a trusted, vendor-signed process, conventional security tools often fail to flag it as suspicious. The compromised process then establishes an encrypted outbound HTTPS connection on TCP port 443, communicating with attacker-controlled cloud infrastructure. This encrypted traffic is designed to blend in with normal business network activity, further evading detection.
Attackers also install secondary remote management software to ensure a fallback access channel and leverage WinRM sessions for lateral movement across the network, often targeting identity systems. Organizations are strongly advised to implement robust security measures to mitigate the risks associated with this evolving threat landscape.
To reduce exposure to this attack type, organizations should treat unsolicited external Teams communications from purported IT staff with extreme caution, verifying identity through established internal channels. Remote management tools like Quick Assist should be restricted solely to authorized IT personnel, and comprehensive access controls should be enforced. Enabling Attack Surface Reduction (ASR) rules and Windows Defender Application Control (WDAC) can help prevent DLL sideloading from user-writable locations.
Additionally, enforcing multi-factor authentication (MFA) and requiring compliant devices for all administrative sessions through Conditional Access policies is crucial. Microsoft’s Safe Links for Teams and Zero-hour Auto Purge (ZAP) can assist in retroactively identifying and neutralizing malicious messages. Restricting WinRM to authorized management workstations and diligently monitoring for data synchronization tools like Rclone within the environment are also recommended proactive measures. Employee training on recognizing external tenant indicators in Teams and establishing verbal authentication phrases between helpdesk staff and end-users can further bolster defenses.
The investigation into this attack chain is ongoing, with cybersecurity researchers continuing to monitor for variations and further development by threat actors. The primary focus for organizations now is on implementing the recommended security controls and enhancing employee awareness to counter this deceptive attack vector.