Microsoft Teams support call leads to Quick Assist compromise in new vishing attack
6 min. read 
Published on
A Microsoft Teams voice call that appeared to come from IT support led to a real compromise after an employee granted remote access through Quick Assist. Microsoft’s Detection and Response Team, known as DART, said the incident began in November 2025 and showed how attackers can rely on trust, urgency, and built-in tools instead of software exploits to break into a corporate environment.
According to Microsoft, the attacker first called multiple employees through Teams while pretending to be support staff. Two attempts failed, but the third worked. The employee opened Quick Assist and gave the attacker interactive access to the device, which became the entry point for the rest of the intrusion.
The case matters because it reflects a broader shift in enterprise attacks. Microsoft has already warned that threat actors are misusing Teams and Quick Assist in social engineering campaigns, and this newer DART case shows the same idea taken into a live compromise investigation.
What happened in the Teams vishing attack
Microsoft said the attacker impersonated internal support personnel during Teams voice calls and used repeated outreach until someone finally accepted the request. Once the attacker gained access through Quick Assist, the user was directed to a threat actor-controlled website that hosted a fake sign-in page. DART said browser history and Quick Assist artifacts confirmed that the employee entered corporate credentials there.
That credential theft then led to a staged payload chain. Microsoft said the first payload was a disguised MSI installer that sideloaded a malicious DLL, which established outbound command-and-control communications. From there, the attackers expanded access using encrypted loaders, remote command execution through standard administrative tooling, proxy-based connectivity, and session hijacking capabilities designed to blend into normal enterprise activity.
Why Quick Assist keeps showing up in these attacks
Quick Assist is built into Windows, which makes it familiar to users and useful to attackers. Microsoft said in earlier reporting that threat actors have repeatedly abused Quick Assist in social engineering attacks because it gives remote control through a legitimate Microsoft tool and lowers suspicion during fake help desk interactions. In the 2024 campaigns Microsoft tracked, attackers also used Teams messages and calls that displayed names such as “Help Desk” or “IT Support.”
That is what makes the new case effective even without an exploit. The attacker did not need to break Quick Assist. They only needed the target to trust the call and approve the session. Once that happened, the remote access looked close enough to legitimate support activity to buy time for follow-on credential theft and malware delivery.
Post-compromise activity at a glance
| Stage | What Microsoft said happened | Why it matters |
|---|---|---|
| Initial contact | Attacker placed Microsoft Teams voice calls while impersonating IT support | Social engineering replaced technical exploitation |
| Access granted | Employee launched Quick Assist and approved remote access | Built-in Windows tool became the access path |
| Credential theft | User visited a spoofed portal and entered corporate credentials | Attack moved from access to identity compromise |
| Malware execution | MSI package sideloaded a malicious DLL | Trusted Windows mechanisms helped the malware blend in |
| Expansion | Attackers used encrypted loaders, admin tooling, proxies, and session hijacking | The activity aimed to maintain control and reduce detection risk |
What Microsoft found after the breach
DART said it confirmed the compromise came from the Teams vishing interaction and immediately prioritized preventing identity or directory-level escalation. Microsoft also said the attack window was short and the intrusion stayed limited in scope. The response team carried out targeted eviction steps, applied containment controls to reduce lateral movement risk, and validated that no persistence mechanisms remained before closing the case.
That detail is important because it shows the attack did not become a major long-term foothold. Even so, the compromise demonstrates how fast a voice-based social engineering campaign can move from a simple call to credential theft and hands-on activity inside a corporate environment.
What Microsoft recommends now
Microsoft’s guidance focused on reducing the chance that Teams-based impersonation works in the first place. DART recommended restricting inbound Teams communication from unmanaged or unverified external accounts and using an allowlist of trusted external domains. It also recommended auditing remote monitoring and management tools and disabling utilities such as Quick Assist where they are not actually needed.
The company also said organizations should run vishing-focused awareness training that includes fake IT support scenarios inside collaboration platforms, and should enable conditional access and session-based anomaly detection to identify suspicious remote access behavior earlier. More broadly, Microsoft’s recent security reporting says social engineering remains a major initial access method and that defenders need to watch identity behavior and trusted tool misuse, not just malware alerts.
Practical defenses for Teams and Quick Assist abuse
| Defensive step | Why it helps |
|---|---|
| Restrict external Teams communication | Reduces unsolicited support impersonation attempts |
| Disable Quick Assist where not needed | Removes an easy social engineering path to remote access |
| Train users on vishing and fake help desk calls | Helps employees recognize urgency-based deception |
| Apply conditional access and anomaly detection | Makes unusual session behavior easier to catch |
| Investigate suspicious Quick Assist usage | Microsoft says it blocks thousands of suspicious Quick Assist attempts daily, showing the technique remains active |
Bottom line
Microsoft’s new DART case shows how little technical sophistication an attacker may need at the start of an intrusion if the social engineering is convincing enough. A Teams voice call, a fake support story, and Quick Assist were enough to get the attacker inside. From there, the campaign shifted quickly into credential theft and staged malware delivery.
The bigger lesson is that collaboration platforms and built-in admin tools now sit firmly inside the attack surface. Organizations that focus only on exploits and malware families may miss the moment when a user, believing they are helping IT, opens the door themselves.
FAQ
Microsoft said the attacker used Quick Assist, the built-in Windows remote assistance tool, after reaching the victim through a Microsoft Teams voice call.
No. Microsoft said the intrusion relied on deception, fake IT support calls, credential harvesting, and legitimate tooling rather than exploiting a software vulnerability.
Microsoft said the threat actor made two unsuccessful attempts before convincing a third employee to grant remote access.
The victim was led to a spoofed credential page, entered corporate credentials, and then received a malicious MSI that sideloaded a DLL and opened command-and-control access.
Microsoft recommends restricting external Teams communications, disabling unused remote support tools such as Quick Assist, training staff on vishing scenarios, and enabling conditional access plus anomaly detection.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages