- Microsoft warns Teams users about scammers abusing the tenant chat feature
- Attackers impersonate IT staff and trick victims into granting remote access via Quick Assist
- Once inside, they use trusted tools to move laterally, install Rclone, and leak sensitive company data.
Microsoft warned Teams users about scammers using the platform to access their corporate networks, deploy malicious code and steal sensitive data.
In a new in-depth security advisory released last weekend, Microsoft said it detected scammers using the cross-tenancy feature to start a chat even though they are not part of the victim’s organization.
They pose as IT or help desk staff and try to convince their victims to grant them remote access to their computers using legitimate tools like Quick Assist.
Article continues below.
Do not activate alarms
Quick Assist is a built-in Windows remote desktop management application that allows users to provide or receive remote technical support.
Once they gain access, scammers run legitimate and trusted programs, but modify them to run malicious code. From there, they move across the company network using built-in tools like Windows Remote Administration to reach important systems, like domain controllers.
“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and prepare sensitive data for exfiltration, often blending into routine IT support activity throughout the intrusion lifecycle,” the company said.
Microsoft also said it observed attackers installing common remote administration tools and programs, such as Rclone, to collect and upload company data to cloud storage.
This technique apparently works well because it is based on real tools and normal computer processes. Victims don’t see any red flags, and actual IT and help desk teams aren’t alerted about any extraordinary or suspicious activity. Instead of phishing emails, attackers use Teams messages, which can look like legitimate internal communication.
While Teams displays warnings when someone outside the company attempts to make contact, it appears that victims ignored the warnings and still agreed to provide access. After breaking in, attackers can quickly spread across the network, install more tools, and collect sensitive data. The exact steps may vary, but the goal is usually to maintain access and steal valuable information.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
