Microsoft: Teams increasingly abused in helpdesk impersonation attacks

Microsoft warns that attackers are increasingly abusing external Microsoft Teams collaboration to impersonate IT/helpdesk personnel and trick employees into granting remote assistance (e.g., Quick Assist). Attackers use that access to run reconnaissance, drop payloads in writable locations, execute via DLL side‑loading, blend C2 over HTTPS into normal traffic, move laterally using WinRM, deploy additional remote management tools, and exfiltrate filtered valuable data to external cloud storage (often using Rclone); Microsoft recommends treating external Teams contacts as untrusted and restricting/monitoring remote assistance and WinRM usage.