- Microsoft warns Teams users of scammers abusing cross‑tenant chat feature
- Attackers impersonate IT staff, trick victims into granting remote access via Quick Assist
- Once inside, they use trusted tools to move laterally, install Rclone, and exfiltrate sensitive company data
Microsoft has warned Teams users about fraudsters using the platform to access their corporate networks, deploy malicious code, and steal sensitive data.
In a new in-depth security advisory published last weekend, Microsoft said it spotted scammers using the cross-tennant feature to initiate a chat even though they are not part of the victim’s organization.
They impersonate IT or help desk staff, and try to convince their victims to grant them remote access to their computers using legitimate tools like Quick Assist.
Article continues below
Not triggering alarms
Quick Assist is a built-in Windows remote desktop management app that allows users to provide or receive remote technical support.
Once they get access, the scammers would run legitimate, trusted programs but modify them to execute malicious code. From there, they move through the company’s network using built-in tools like Windows Remote Management to reach important systems, such as domain controllers.
“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle,” the company said.
Microsoft also said it observed the attackers installing common remote management tools and programs like Rclone, to collect and upload company data to cloud storage.
This technique apparently works well because it relies on real tools and normal IT processes. The victims aren’t seeing any red flags, and actual IT and help desk teams are not being alerted to any extraordinary or suspicious activity. Instead of phishing emails, attackers use Teams messages, which can look like legitimate internal communication.
While Teams does show warnings when someone from outside the company tries to make contact, it seems that the victims ignored the warnings and still agreed to give access. After getting in, attackers can quickly spread across the network, install more tools, and gather sensitive data. The exact steps may vary, but the goal is usually to maintain access and steal valuable information.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/CT482eMSRL8PagRtuBVYNd-2000-80.jpeg
Source link
