Threat Actors Impersonate IT Helpdesk via Microsoft Teams to Deploy Quick Assist

Executive Summary

Threat actors are conducting a new social engineering campaign that abuses the inherent trust in Microsoft Teams to impersonate corporate IT helpdesk staff. According to a report from CyberSecurity News, the attackers initiate contact via Teams chat, then socially engineer employees into downloading and running Microsoft's legitimate Quick Assist tool, granting the attackers remote control. This technique leverages trusted, pre-installed business applications to bypass user suspicion and security controls for initial access.

Technical Analysis

The attack chain begins with the threat actor sending a message to an employee from a compromised or spoofed Microsoft Teams account, posing as a member of the organization's IT support team. The message typically urges the user to take immediate action to resolve a purported urgent technical issue. To establish credibility, the attacker may reference internal employee names or departments, though the specific source of this reconnaissance is not detailed in the report.

The core of the attack involves directing the victim to a legitimate Microsoft resource: the Quick Assist application. Quick Assist is a built-in Windows remote support tool that allows a helper to view or control another user's desktop with their permission. The attacker instructs the victim to open the Windows Start Menu, search for "Quick Assist," and launch it. The victim is then told to share a provided 6-digit security code, which connects their session to the attacker's. Once connected via Quick Assist, the attacker gains full remote control of the victim's desktop, enabling them to deploy additional payloads, conduct reconnaissance, and move laterally within the network. The abuse of a trusted, whitelisted Microsoft tool allows the attack to evade detection by security software that might flag unauthorized remote access applications.

Tactics, Techniques & Procedures

The campaign employs several techniques outlined in the MITRE ATT&CK framework. For initial access, the primary technique is Phishing (T1566), specifically a variant conducted via a trusted service (Phishing: Spearphishing via Service T1566.002). The attackers use Masquerading (T1036) to impersonate IT helpdesk personnel, leveraging the trusted communication channel of Microsoft Teams. To establish remote control, they abuse a legitimate system tool, Quick Assist, which aligns with Remote Services (T1021) and potentially Abuse Elevation Control Mechanism (T1548) if the tool is used to bypass User Account Control (UAC). The use of a pre-installed, trusted application for execution also falls under Trusted Developer Utilities Proxy Execution (T1218).

Threat Actor Context

The source material does not attribute this campaign to a specific known threat actor or group. The tactics are consistent with financially motivated groups and initial access brokers who seek to establish a foothold within corporate networks to sell access to ransomware affiliates or other downstream attackers. The simplicity and reliance on social engineering over technical exploitation suggest the actors are adaptable and targeting the human layer as the primary vulnerability.

Mitigations & Recommendations

Organizations should implement user awareness training focused on this specific vector, instructing employees to verify the identity of anyone requesting remote access, especially via chat platforms. IT departments should consider establishing and enforcing a clear protocol that remote support is never initiated via unsolicited chat messages. Technical controls could include reviewing and potentially restricting the use of Quick Assist via Group Policy for non-IT staff, or implementing application allow-listing policies that still permit IT tools but block unauthorized remote access software. Monitoring for unusual instances of Quick Assist execution, especially from non-helpdesk IP addresses or in conjunction with other suspicious activity, is also advised.