RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: winrm (1 article)Clear
threat
2026-04-21

Microsoft warns of external Teams chats abused for helpdesk impersonation - 9-stage attack chain uses Quick Assist and Rclone for data theft

Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.

microsoft-teamssocial-engineeringhelpdesk-impersonationquick-assistrclonewinrmdll-sideloadingliving-off-the-land
Check
Audit your Teams tenant configuration today. Do external users from unknown tenants have the ability to start chats with your employees? If yes, this attack vector is open.
Affected
Any organization using Microsoft Teams with external collaboration enabled, particularly with 'Anyone' or broad external access allowed. Non-technical staff who may not recognize the pattern of an external Teams contact impersonating IT. Environments where Quick Assist is not restricted and WinRM is widely enabled.
Fix
In Teams Admin Center, set External Access to allow only specific trusted domains (not 'Anyone'). Train staff to treat any external Teams contact claiming to be IT as hostile by default - legitimate internal IT does not chat from an external tenant. Restrict or audit Quick Assist: if you don't use it, disable it via GPO or Intune. Limit WinRM to specific admin jump boxes rather than allowing it across the domain. Monitor for Rclone execution (filename and parent process) - there's essentially no legitimate business reason for Rclone to run on endpoint machines. Flag any outbound HTTPS traffic from endpoints to consumer cloud storage domains (Mega, Dropbox, Google Drive) that doesn't match expected user behavior.