Khaberni - Microsoft warned users of the Microsoft Teams platform of a new wave of fraudulent attacks targeting corporate networks by impersonating technical support staff and using official tools to access internal systems and steal sensitive data.
The company revealed that it has detected attackers exploiting the "inter-organizational chat" feature in "Teams," which allows initiating conversations with users outside the organization. The attackers contact employees claiming to be from IT or technical support teams, before convincing the victims to grant them remote access to their devices, according to techradar.
The operation is carried out using the Quick Assist application, a tool integrated into the Microsoft Windows system that enables legitimate remote technical support. However, the attackers exploit this tool to access devices without raising suspicions.
Covert movements within networks
According to the warning, after gaining an initial foothold within the system, the hackers operate trusted programs and modify them to execute malicious codes. They then move across the network using native administrative tools such as “Remote Windows Management,” to access sensitive systems including domain controllers, responsible for managing user permissions and network security within organizations.
The company clarified that the attackers employ trusted tools and native administrative protocols to horizontally navigate within the organization, and prepare sensitive data for exfiltration outside the network, in activity often blending with routine technical support operations throughout the breach cycle.
Microsoft also observed the attackers installing common remote management tools, in addition to the Rclone program, which is used to transfer data to cloud storage services, facilitating the process of collecting and uploading information to external servers.
Attacks without warnings
The danger of these attacks, according to the company, lies in their reliance on legitimate tools and typical technical procedures, making their detection more difficult. Victims do not notice clear warning indicators, and IT teams do not receive alerts about unusual activity, as the operations appear to be part of normal technical support.
Unlike traditional phishing methods through email, the attackers in these cases rely on messages within "Teams," which may seem like legitimate internal communications, enhancing the chances of successful deception.
Microsoft advises organizations to review inter-organizational communication settings, restrict remote access permissions, and educate employees about the dangers of granting control over their devices without thoroughly verifying the identity of the requesting party.
