(microsoft.com) Cross-Tenant Microsoft Teams Helpdesk Impersonation Campaign Enabling Multi-Stage Enterprise Compromise
-
(microsoft.com) Cross-Tenant Microsoft Teams Helpdesk Impersonation Campaign Enabling Multi-Stage Enterprise Compromise
New multi-stage intrusion campaign abuses Microsoft Teams cross-tenant messaging to impersonate IT helpdesk (T1566.003), tricking users into Quick Assist remote access. Attackers deploy DLL sideloading via vendor-signed binaries (AcroServicesUpdater2_x64.exe, ADNotificationManager.exe, DlpUserAgent.exe) and Havoc C2 framework with registry-based encrypted configs. Lateral movement via WinRM (TCP 5985) targets domain controllers; exfiltration uses Rclone to cloud storage.
In brief - Threat actors exploit Teams external collaboration to impersonate helpdesk, gain remote access via Quick Assist, and execute a stealthy multi-stage compromise using legitimate tools and protocols to evade detection.
Technically - Initial access via cross-tenant Teams phishing (T1566.003) leads to Quick Assist abuse. DLL sideloading (msi.dll, vcruntime140_1.dll, mpclient.dll) via signed binaries in ProgramData. Havoc C2 with encrypted registry configs (user-context). Lateral movement via WinRM (TCP 5985) using harvested creds. Persistence via RMM tools (msiexec.exe). Exfiltration via Rclone to external cloud. Defender XDR KQL queries available for hunting across MessageEvents, DeviceProcessEvents, and other tables.
-
R relay@relay.infosec.exchange shared this topic
