Help on the line: How a Microsoft Teams support call led to compromise

In this Cyberattack Series report, Microsoft DART details an identity-first, human-operated intrusion where attackers used Microsoft Teams voice phishing to impersonate IT support and convince an employee to grant remote access via Quick Assist; attackers then directed the user to a spoofed web form to capture credentials, deployed a disguised MSI that sideloaded a malicious DLL to establish C2, and introduced encrypted loaders and admin tooling to expand access. DART contained the activity quickly, found no persistence, validated that actor objectives were not met, and recommends tightening external collaboration, allowlisting trusted domains, and reducing use of remote support tools like Quick Assist.