Security

Cross-Tenant Teams Impersonation Attack Playbook

3 min read

Summary

Microsoft has detailed a human-operated intrusion chain where attackers use cross-tenant Microsoft Teams chats to impersonate helpdesk staff and trick users into granting remote access through tools like Quick Assist. The campaign matters because it blends legitimate collaboration, remote support, and admin tools to enable lateral movement, persistence, and data exfiltration while appearing like normal IT activity.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published new threat research describing how attackers are abusing external Microsoft Teams chats to impersonate IT or helpdesk staff. For IT and security teams, this is an important reminder that modern phishing and social engineering no longer start only with email—they can begin inside trusted collaboration tools and quickly escalate into enterprise-wide compromise.

What’s new

Microsoft’s report outlines a full human-operated intrusion playbook that starts with cross-tenant Teams messages and ends with data exfiltration.

Attack chain highlighted by Microsoft

  • Initial contact via Teams: Attackers pose as support personnel using external Teams communication.
  • Remote assistance foothold: Victims are convinced to launch Quick Assist or similar remote support tools and approve access.
  • Reconnaissance and validation: Attackers quickly check user privileges, system details, and access level.
  • Trusted app abuse: Vendor-signed applications are launched with attacker-supplied modules to run malicious code.
  • Command and control: Attackers establish persistent access while blending into normal admin activity.
  • Lateral movement: Native tools such as WinRM are used to pivot toward high-value assets, including domain controllers.
  • Follow-on tooling: Commercial remote management software like Level RMM may be deployed.
  • Data exfiltration: Utilities such as Rclone are used to stage and move sensitive data to external cloud storage.

Why this matters for administrators

This campaign is notable because it relies heavily on legitimate Microsoft and third-party tools rather than obvious malware. That makes detection harder and increases the chance that activity will look like routine IT support, remote administration, or user-approved actions.

The biggest risk is not just external Teams messaging itself, but the moment a user approves remote control. Once that happens, attackers can move quickly—often within minutes—to establish broader access, deploy tools, and target identity or domain infrastructure.

Administrators should review controls across collaboration, endpoint, and identity security:

  • Harden external Teams access and review cross-tenant communication policies.
  • Train users to treat unsolicited helpdesk or security contacts in Teams with suspicion, especially first-contact messages.
  • Restrict or monitor Quick Assist and other remote support tools where possible.
  • Watch for suspicious process chains such as QuickAssist.exe followed by cmd.exe or PowerShell.
  • Monitor lateral movement activity involving WinRM and unexpected remote management software.
  • Review data exfiltration signals tied to tools like Rclone or unusual cloud storage destinations.
  • Use Microsoft Defender XDR to correlate identity, endpoint, and Teams telemetry for earlier detection.

Bottom line

Microsoft’s research shows that collaboration platforms are now part of the active intrusion landscape. Security teams should treat Teams-based impersonation and user-approved remote assistance as high-risk pathways and update monitoring, user awareness, and response playbooks accordingly.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Microsoft TeamsQuick AssistMicrosoft Defender XDRdata exfiltrationphishing

Related Posts

Security

Microsoft Black Hat 2026: AI and Supply Chain Defense

Microsoft used Black Hat USA 2026 to spotlight how attackers are abusing trusted software, identities, cloud services, and AI systems to scale attacks. The company also highlighted ongoing npm supply chain investigations, new Microsoft Defender Experts capabilities, and research sessions that give security teams practical guidance for defending trust paths.

Security

ACR Stealer Campaigns: ClickFix Threats Rise

Microsoft reports increased ACR Stealer activity targeting enterprises through ClickFix social engineering, with two intrusion chains using WebDAV, Python loaders, MSHTA, obfuscated PowerShell, and steganography. The campaigns focus on stealing browser credentials, session tokens, and sensitive documents, making early detection and user awareness critical for defenders.

Security

AI Agent Least Privilege: Identity and RBAC Guide

Microsoft is urging organizations to treat AI agents as first-class identities with tightly scoped access, explicit role assignments, and controlled tool bindings. The guidance matters because agentic workflows can span multiple systems, increasing the blast radius of misconfigured permissions, weak audit trails, and unclear accountability.

Security

AsyncAPI npm Supply Chain Attack: Import-Time Malware

Microsoft Threat Intelligence uncovered a coordinated compromise of the AsyncAPI npm organization that republished five package versions with malicious code that runs when packages are imported, not just installed. The incident matters because common mitigations like npm install --ignore-scripts do not stop this technique, putting developer workstations, CI/CD pipelines, and production services at risk if they resolved the affected versions.

Security

Defender Experts Adds Threat Intelligence and MDR

Microsoft has launched Defender Experts Threat Intelligence and expanded Defender Experts MDR with third-party and multi-cloud coverage powered by Microsoft Sentinel. The update helps security teams turn threat intelligence into action faster by combining expert-led guidance, unified Defender portal workflows, and broader cross-platform incident response.

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.