Hackers Impersonate IT Help Desk on Microsoft Teams to Gain Access, Steal Data

Microsoft warns of a rising campaign where attackers impersonate IT support in Microsoft Teams to socially engineer employees into granting remote access (e.g., Quick Assist). Once connected, actors scan the host, drop payloads into trusted locations, use DLL sideloading and registry changes for persistence, communicate with C2 over HTTPS, pivot laterally to high-value assets, and exfiltrate targeted data; Microsoft also outlines mitigations such as strict support verification, restricting risky settings, and treating external communications as untrusted.