Microsoft Teams and Quick Assist helpdesk impersonation attacks are rising, Microsoft warns
5 min. read 
Published on
Attackers are increasingly using Microsoft Teams and Quick Assist to pose as IT helpdesk staff, trick employees into granting remote access, and then move deeper into corporate networks. Microsoft says this attack chain often starts with an external Teams message from another tenant, followed by social engineering that pushes the user to approve a Quick Assist session.
The danger comes from how normal the activity looks. Instead of malware-laced email or an exploit, the attacker uses common workplace tools and relies on the victim to ignore warnings and approve the session. Microsoft says that once access is granted, the intruder can blend into ordinary support activity while they collect information, deploy payloads, and prepare for lateral movement.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This is not a brand-new tactic, but Microsoft’s latest research shows it remains active and effective in 2026. The company says recent intrusions used the same basic playbook: an unsolicited Teams contact, a fake support pretext, Quick Assist approval, then hands-on-keyboard activity inside the environment within minutes.
How the attack works
Microsoft says Teams already shows several security cues when someone outside the organization starts contact, including external tenant labeling, accept or block prompts, preview details, and phishing indicators. The problem is that attackers try to talk users past those warnings by pretending they are internal support staff dealing with an urgent issue.
If the user accepts the chat and follows instructions, the attacker moves them into Quick Assist. Microsoft’s Quick Assist documentation explains that the tool lets a helper view a screen, annotate it, or take full control after the user approves the connection. In the wrong hands, that makes it a ready-made remote access path.
Microsoft says attackers often begin reconnaissance almost immediately after access starts. The company observed operators checking user privileges, gathering host and network details, staging payloads in writable folders, and using trusted signed applications for DLL side-loading. In some cases, they then used Windows Remote Management and cloud sync tools to reach high-value systems and exfiltrate files.
Why this attack is hard to catch
This campaign stands out because it depends more on human trust than on a software vulnerability. Microsoft says the intrusion chain can unfold through legitimate tools, approved user actions, and normal outbound traffic, which makes it harder for defenders to spot without strong telemetry correlation across identity, endpoint, and collaboration layers.
The Quick Assist angle also builds on a pattern Microsoft documented earlier. In 2024, Microsoft linked Quick Assist abuse to social engineering activity associated with Storm-1811, a financially motivated group tied to Black Basta ransomware. Microsoft later noted that Teams had become another useful channel for the same type of impersonation.
For security teams, the lesson is clear. A remote support session should not be treated as harmless just because it runs through Microsoft software. If a user starts a session with someone they do not know through an unsolicited external Teams message, defenders should treat that activity as potentially hostile until proven otherwise.
What Microsoft says organizations should do
| Risk area | Recommended action |
|---|---|
| External Teams contact | Treat unsolicited messages from claimed IT staff as suspicious and verify through known internal channels. |
| Quick Assist misuse | Limit Quick Assist or replace open-ended support workflows with managed remote support options and clear user verification steps. |
| Malicious links in Teams | Use Teams malicious URL protection and Microsoft Defender for Office 365 protections for Teams. |
| Payload execution | Use Attack Surface Reduction rules, application control, and endpoint protections to make DLL side-loading harder. |
| Lateral movement and exfiltration | Restrict WinRM, monitor unusual admin activity, and watch for cloud sync tools used for data theft. |
Immediate steps for defenders
- Verify any IT support request through a known company channel before approving screen sharing or remote control.
- Restrict who can use remote support tools and document when IT is allowed to initiate them.
- Monitor for external-tenant Teams messages that precede Quick Assist sessions or unusual admin activity.
- Harden endpoints with application control, ASR rules, and endpoint detection.
- Train staff to spot external labels, unexpected urgency, and requests to bypass built-in warnings.
FAQ
The attacker pretends to be IT support in Microsoft Teams, then convinces the employee to approve a Quick Assist remote session. After that, the attacker can operate directly on the victim’s machine.
Microsoft’s latest report describes it primarily as a human-operated social engineering playbook, not a traditional exploit chain. The victim’s approval is the key step.
It is a legitimate Microsoft remote support tool. Because users may already know it, attackers can make the session look like routine troubleshooting.
Do not approve access right away. Verify the request through your company’s known helpdesk channel, ticketing system, or internal phone number first.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages