Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Microsoft Threat Intelligence documents an active Storm-1811 campaign (mid‑April to May 2024) that uses Teams-based impersonation and vishing to trick users into granting access via Quick Assist, then delivers Qakbot, RMM tools, Cobalt Strike, and SystemBC to exfiltrate credentials and deploy Black Basta ransomware; the report provides IOCs, detection queries, and mitigation recommendations.