Attackers Abuse Microsoft Teams and Quick Assist in New Helpdesk Impersonation Attack Chain

A deceptive campaign leverages Microsoft Teams and Quick Assist to socially engineer employees into granting remote access, then abuses DLL side-loading and signed binaries to execute malicious modules, store encrypted C2 config in the Windows registry, and blend outbound HTTPS traffic with legitimate traffic; attackers rapidly perform reconnaissance, use WinRM to pivot toward domain controllers, and exfiltrate sensitive files (e.g., via Rclone). The report also lists observed loader/binary names, detection challenges, and concrete mitigations such as restricting Quick Assist, enabling ASR/WDAC, enforcing Conditional Access/MFA, monitoring WinRM and Rclone, and user verification procedures.