Microsoft has launched a warning that should be taken seriously: attackers are exploiting Microsoft Teams' external collaboration functionality to impersonate IT staff or helpdesk and convince employees to give them remote access. The disturbing thing is not so much the spectacular "hack," but the combination of social engineering and legitimate tools that allows the intruders to move through corporate networks without raising the usual suspicion. This alert is detailed in the company's report, which describes how intrusions follow a very concrete and repeatable chain of steps; the complete analysis is available on Microsoft's security blog Here..
The typical starting point is a message from outside the Teams tenant: a cross-chat in which the attacker identifies himself as a technician, mentions an alleged account problem or a critical update and asks to start a remote support session. If the victim accepts, tools like Quick Assist (the Windows remote assistance application) deliver the attacker direct control of the committed team, and from there begins the silent climbing. To understand why this vector is so effective it should be remembered that many employees consider applications for technical assistance legitimate and, on days of work pressure, it is easy to fall into the trap.
Once inside, the attackers perform a quick recognition with Command Prompt and PowerShell to check privileges, domain membership and network reach, assessing the possibility of moving laterally to more valuable systems. They then place a small package of components on user's writing permission routes, for example ProgramData, and manage to run malicious code using signed and trusted applications through the technique known as DLL side-rolling. This use of legitimate binaries and digital signatures is what makes malicious communication and subsequent activity confused with normal traffic and tasks. If you want to look into how this technique works, the MITRE knowledge base describes it in detail in its ATT & CK catalogue: DLL Side-Loading (MITRE ATT & CK).
Command and control communication is usually done on HTTPS, which is mixed with the rest of the outgoing traffic and makes it difficult to detect it by traditional network controls. With persistence assured by changes in the Windows Registry, operators abuse Windows Remote Management (WinRM) to reach other equipment linked to the domain and sometimes attack high-value assets such as domain controllers. WinRM, designed for legitimate remote administration, thus becomes the pipe that facilitates the spread in corporate environments. Microsoft and the official technical documentation on WinRM explain its operation and safety considerations in: Windows Remote Management (WinRM) - Microsoft Docs.
In the final stages of the attack, the intruders deploy additional remote management tools in systems they already have access to to automate data collection and, crucially, use utilities such as Rclone to transfer files to external cloud storage points. The use of Rclone or other legitimate synchronization tools allows you to filter and extract only valuable information, reduce volumes and improve the operating sigil; the tool itself and its public documentation are available at rclone.org which is usually used by these actors to send data outside the perimeter without raising obvious alarms.
This whole process, described by Microsoft as a nine-stage chain in the analyzed cases, shows why "human-operated" intrusions are so dangerous: they are not dependent on a single zero-day explosion, but rather on combining social engineering, legitimate administrative tools and abuses of signed processes to remain hidden. Detecting malicious activity is complicated because many of the actions look like routine IT support or management tasks. The Microsoft report contains catches and a technical tour through these stages that help identify abnormal behavior patterns; you can consult it on your security blog: Cross-tenant helpdesk impersonation playbook.
In this context, the recommendations have to combine technical controls with human prevention. Microsoft insists that external accounts in Teams should be treated by default as unreliable and that managers strictly limit or monitor remote assistance tools. It also recommends restricting the use of WinRM to specific systems and monitoring transfers to external cloud services. For documentation on how to manage external access in Teams and reduce exposure you can serve the official guide: Manage external access in Microsoft Teams - Microsoft Docs.
In addition to configuration measures, there are good operational practices that mitigate risk: educating employees to verify the identity of those who request alternative channel support, requiring additional checks for remote sessions and activating security controls that alert about atypical executions of signed applications, persistent changes in the Register and unusual use of file synchronization tools. Endpoints detection and response solutions (EDR) and white list implementation policies also make it difficult to carry out payloads through legitimate binaries.
It is not a unique or miraculous solution: defending itself against this type of campaign requires continuous monitoring, network segmentation, reduced use of accounts with permanent privileges and stricter management schemes (e.g. just-in-time access or workstations dedicated to administrative tasks). The general pattern is to raise suspicion in the face of unexpected support requests and reduce an attacker's ability to use legitimate tools as an attack lever.
If you manage an organization, review the external collaboration policies in Teams, assess who can start or accept remote attendance sessions and set up alerts to detect unusual patterns. For technical equipment, it is appropriate to review PowerShell and WinRM logs, audit Registry modifications and control processes that start outgoing HTTPS connections to unusual domains. The combination of training, administrative controls and behavior-based detection is the best defense against a class of intrusion that takes advantage of our confidence in everyday tools.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...