Attackers are abusing collaboration tools and trusted enterprise platforms to gain access to corporate networks through social engineering rather than software exploits.

 

What happened

Microsoft’s Detection and Response Team uncovered a cyberattack campaign involving persistent Microsoft Teams voice phishing, where a threat actor posed as internal IT support and repeatedly contacted employees to gain remote access. According to Cybernews, the attacker made several attempts before convincing an employee to grant access using Quick Assist, a legitimate Windows tool that allows someone else to control a device remotely. Once connected, the attacker guided the user to a malicious website that stole corporate login details and initiated downloads of additional malware. Investigators later found that a disguised Microsoft Installer file was used to load a hidden malicious file, allowing the attacker to communicate with external servers and establish a foothold inside the system.

 

Going deeper

After gaining remote access, the attacker moved from social engineering to a hands-on keyboard attack, where they directly control the victim’s system. Additional malware introduced encrypted loaders, which are tools that quietly install and run malicious code, along with remote command execution using standard administrative tools already built into the system. The attacker also used proxy connections, which route traffic through other systems to hide their activity within normal network traffic. Credential-harvesting tools were used to steal login credentials, while session hijacking allowed the attacker to take over active user sessions and remain connected for extended periods without detection. The campaign showed how attackers can combine trusted workplace tools and built-in system utilities with deception to bypass traditional security defenses.

 

What was said

Microsoft’s Detection and Response Team described how the attacker gained access through repeated impersonation attempts. In a blog post, the team said, “Following two failed attempts, the threat actor ultimately convinced a third user to grant remote access through Quick Assist, enabling the initial compromise of a corporate device.” The researchers added that the campaign relied heavily on social engineering tactics, noting that “employees are conditioned to be responsive, helpful, and collaborative, especially when requests appear to come from internal IT or support teams,” which attackers exploit to create urgency and legitimacy during voice phishing calls.

 

In the know

BleepingComputer previously reported on a Microsoft Teams phishing campaign where attackers impersonated internal IT staff to gain remote access and deploy malware. Hackers targeted employees at financial and healthcare organizations by first flooding them with spam emails, then following up through Teams while posing as IT support. Victims were persuaded to start a remote session using Microsoft Quick Assist. Once access was granted, attackers delivered malicious tools from a personal Microsoft cloud account, including digitally signed installers disguised as Teams components and Windows services. The intrusion led to the deployment of a previously undocumented malware strain known as A0Backdoor, allowing attackers to maintain persistent access to compromised systems.

 

The big picture

Healthcare organizations face higher exposure to vishing attacks because phone communication is a core part of daily clinical and operational coordination. According to the Health Sector Cybersecurity Coordination Center, staff regularly communicate by phone with providers, insurers, pharmacies, and vendors, creating opportunities for social engineering through trusted channels. HC3 analysts note that “vishing attacks leverage the trust placed in voice communications” and continue to succeed because social engineering remains “one of the most effective initial access techniques” targeting the Healthcare and Public Health sector. Attackers often impersonate hospital staff, IT help desks, or insurance representatives while using caller ID spoofing, which is when a caller disguises their number to appear legitimate, and HC3 warns this can “increase the perceived legitimacy of the caller.” Because healthcare environments operate with urgency, staff may skip standard verification steps, allowing attackers to exploit human trust to obtain credentials or sensitive information.

 

FAQs

What is voice phishing or vishing?

Voice phishing is a social engineering attack conducted over phone calls or via voice features in collaboration tools, in which attackers impersonate trusted individuals to persuade victims to share access or sensitive information.

 

What is Quick Assist, and why was it used in the attack?

Quick Assist is a legitimate Windows remote support feature that allows users to share screen control with another person. Attackers can exploit it through social engineering to gain remote access to corporate devices.

 

What is DLL sideloading?

Dynamic link library sideloading occurs when a legitimate program loads a malicious library instead of the intended file, allowing attacker code to run under the cover of trusted software.

 

Why are collaboration tools becoming a common attack vector?

Platforms such as Teams, Slack, and Zoom are widely used in day-to-day work communication, making requests sent through them appear legitimate and reducing suspicion among employees.

 

How can organizations reduce the risk of vishing attacks?

Organizations can train employees to verify support requests through separate channels, restrict remote assistance tools, implement strong identity protections, and monitor unusual remote access activity.