eams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist
Summary:
CyberProof Threat Hunters recently reviewed an MDR team alert that detailed a highly targeted and effective social engineering attack utilizing the Microsoft Teams "Chat with Anyone" feature for initial access. This methodology aligns closely with the advanced phishing TTPs used by sophisticated, human-operated ransomware groups, notably Black Basta.
The attack unfolded across November 4–5, 2025, where an external actor, impersonating "IT Support" from the email address mostafa.s@dhic.edu[.]eg, initiated contact with multiple victims on Teams. The actor successfully manipulated a user into a remote support session via QuickAssist.exe. The core of the initial phase involved directing the victim to a sophisticated phishing page, designed to harvest login credentials under the guise of "Quick Assist authentication." Following the credential harvest, an executable named updater[.]exe, identified as a Python-compiled infostealer, was downloaded and executed. The file was signed by "WASSERMAN, LLC," indicating the use of a likely compromised or fraudulently acquired legitimate code-signing certificate, a common technique for defense evasion. Once the malware executed, the actor proceeded immediately to discovery, running classic reconnaissance commands such as: nltest /dclist:, arp -a, and route print. Crucially, the attack was disrupted and contained by the MDR analyst, who blocked the outbound Command and Control (C2) connection and isolated the affected machine, thereby preventing the attacker from escalating the compromise to a double-extortion incident involving data exfiltration or ransomware deployment.
Security Officer Comments:
This incident confirms the concerning trend of sophisticated adversaries adapting their strategies to leverage collaboration platforms like Microsoft Teams, using the new "Chat with Anyone" feature to execute initial access with high success, a pattern documented by CyberProof Threat Researchers. The root cause enabling this initial vector is the overly permissive default configuration of the Teams External Access policies, which allowed the external, unsolicited contact to appear legitimate to the end-user. The actor’s decision to use a dedicated phishing page not only harvested credentials but also delivered an infostealer that utilized a seemingly legitimate code-signing certificate for defense evasion, demonstrating significant pre-attack planning and sophistication to bypass standard security products. The subsequent command execution, specifically the use of discovery tools like nltest /dclist:, leaves no doubt that this was a human-operated attack with the clear intent to map the internal Active Directory environment and pursue privilege escalation and lateral movement.
Suggested Corrections:
Researchers at Cyberproof have published the following reccomendations:
According to Microsoft, admins can disable this feature through Teams Messaging Policies by running the following PowerShell command:
PowerShell
Set-CsTeamsMessagingPolicy -Identity "Global" -UseB2BInvitesToAddExternalUsers
$false
This command sets the UseB2BInvitesToAddExternalUsers flag to $false, preventing users from inviting external participants via this feature. It can be applied globally or to specific messaging policies for granular control. If chat with unmanaged users is disallowed, users are no longer able to start chats with non-Microsoft 365 users using this feature. However, other external collaboration features (like channels) remain unaffected. Federation (external access) works independently of this feature.
Here’s are some additional items organizations and security analysts should keep a close watch for as attackers are likely to use impersonated audio & video calls more and increase Deepfake attacks:
Link(s):
https://www.cyberproof.com/blog/tea...ate-it-to-steal-credentials-via-quick-assist/
CyberProof Threat Hunters recently reviewed an MDR team alert that detailed a highly targeted and effective social engineering attack utilizing the Microsoft Teams "Chat with Anyone" feature for initial access. This methodology aligns closely with the advanced phishing TTPs used by sophisticated, human-operated ransomware groups, notably Black Basta.
The attack unfolded across November 4–5, 2025, where an external actor, impersonating "IT Support" from the email address mostafa.s@dhic.edu[.]eg, initiated contact with multiple victims on Teams. The actor successfully manipulated a user into a remote support session via QuickAssist.exe. The core of the initial phase involved directing the victim to a sophisticated phishing page, designed to harvest login credentials under the guise of "Quick Assist authentication." Following the credential harvest, an executable named updater[.]exe, identified as a Python-compiled infostealer, was downloaded and executed. The file was signed by "WASSERMAN, LLC," indicating the use of a likely compromised or fraudulently acquired legitimate code-signing certificate, a common technique for defense evasion. Once the malware executed, the actor proceeded immediately to discovery, running classic reconnaissance commands such as: nltest /dclist:, arp -a, and route print. Crucially, the attack was disrupted and contained by the MDR analyst, who blocked the outbound Command and Control (C2) connection and isolated the affected machine, thereby preventing the attacker from escalating the compromise to a double-extortion incident involving data exfiltration or ransomware deployment.
Security Officer Comments:
This incident confirms the concerning trend of sophisticated adversaries adapting their strategies to leverage collaboration platforms like Microsoft Teams, using the new "Chat with Anyone" feature to execute initial access with high success, a pattern documented by CyberProof Threat Researchers. The root cause enabling this initial vector is the overly permissive default configuration of the Teams External Access policies, which allowed the external, unsolicited contact to appear legitimate to the end-user. The actor’s decision to use a dedicated phishing page not only harvested credentials but also delivered an infostealer that utilized a seemingly legitimate code-signing certificate for defense evasion, demonstrating significant pre-attack planning and sophistication to bypass standard security products. The subsequent command execution, specifically the use of discovery tools like nltest /dclist:, leaves no doubt that this was a human-operated attack with the clear intent to map the internal Active Directory environment and pursue privilege escalation and lateral movement.
Suggested Corrections:
Researchers at Cyberproof have published the following reccomendations:
According to Microsoft, admins can disable this feature through Teams Messaging Policies by running the following PowerShell command:
PowerShell
Set-CsTeamsMessagingPolicy -Identity "Global" -UseB2BInvitesToAddExternalUsers
$false
This command sets the UseB2BInvitesToAddExternalUsers flag to $false, preventing users from inviting external participants via this feature. It can be applied globally or to specific messaging policies for granular control. If chat with unmanaged users is disallowed, users are no longer able to start chats with non-Microsoft 365 users using this feature. However, other external collaboration features (like channels) remain unaffected. Federation (external access) works independently of this feature.
Here’s are some additional items organizations and security analysts should keep a close watch for as attackers are likely to use impersonated audio & video calls more and increase Deepfake attacks:
- Block any unauthorized or unverified apps
- Whitelist approved remote access applications
- Vet all third-party technical service providers
- Implement Two-Step Verification and Zero Trust models
Link(s):
https://www.cyberproof.com/blog/tea...ate-it-to-steal-credentials-via-quick-assist/