Attackers exploit Microsoft Teams to impersonate IT helpdesks

Microsoft warns that threat actors are increasingly abusing Microsoft Teams' external collaboration features to impersonate IT helpdesk staff, tricking employees into granting remote access and enabling data theft across enterprise networks.

What happened

Microsoft has identified multiple intrusions sharing a similar nine-stage attack chain. Attackers initiate contact with employees via external Teams chats, posing as internal IT or helpdesk personnel and claiming they need to resolve an account issue or apply a security update.

Once the target agrees, the attacker convinces them to start a remote support session handing over direct control of the machine. The attacker then performs reconnaissance using Command Prompt and PowerShell, drops a malicious payload in user-writable locations like ProgramData, and executes it via DLL side-loading through trusted, signed applications such as Autodesk, Adobe Acrobat/Reader, or Windows Error Reporting software.

The attacker establishes HTTPS-based command-and-control (C2) communication that blends into normal outbound traffic, secures persistence via Windows Registry modifications, and then uses Windows Remote Management (WinRM) to move laterally across the network, targeting domain-joined systems and high-value assets like domain controllers. Finally, the attacker deploys additional remote management tools and uses Rclone to exfiltrate targeted, filtered data to external cloud storage.

What was said

In its warning, Microsoft stated, "Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access."

Microsoft further stated, "From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration - often blending into routine IT support activity throughout the intrusion lifecycle."

Microsoft also reminded users to treat external Teams contacts as untrusted by default, and recommended that administrators restrict or closely monitor remote assistance tools and limit WinRM usage to controlled systems. The company also drew attention to the Teams security warnings that explicitly flag communications from outside the organization and potential phishing attempts.

Why it matters

This attack method weaponizes the institutional trust employees place in IT staff and the technical trust organizations extend to legitimate software like Quick Assist, WinRM, and Rclone. By operating within the bounds of sanctioned tools and normal-looking traffic, attackers bypass traditional security controls.

Rather than relying on phishing emails, attackers are also moving to real-time, interactive deception via collaboration platforms. As remote and hybrid work has normalized IT support through tools like Teams, employees are conditioned to accept external support requests, making this attack vector effective.

The bottom line

Organizations should treat external Microsoft Teams contacts with the same skepticism applied to unsolicited emails. Employee awareness training should address real-time impersonation over collaboration platforms, not just email-based phishing. Verifying any unsolicited IT support request through a known, trusted internal channel before granting remote access can stop this attack chain at stage one.

FAQs

What should I do if someone contacts me on Teams claiming to be from IT?

Verify the request through a known internal channel before taking any action or granting access.

Can attackers target any organization that uses Microsoft Teams?

Any organization with external Teams communication enabled is potentially vulnerable.

Is Quick Assist the only tool attackers use to gain remote access?

No, attackers can use any commercial remote management software.