Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

This Microsoft Defender research report describes an observed campaign where adversaries impersonate IT/helpdesk via cross-tenant Microsoft Teams to trick users into granting remote-assist sessions (e.g., Quick Assist). Attackers then perform short interactive reconnaissance, stage payloads using DLL sideloading under trusted signed hosts, establish HTTPS command-and-control, pivot via WinRM to domain resources, deploy management tooling, and exfiltrate targeted business data using Rclone; the report includes detection signatures, advanced-hunting queries, and mitigations (ASR, WDAC, Conditional Access, Safe Links, user education).