Microsoft Teams initial-access campaign impersonating IT help desk staff
Campaign
Summary
Hide ▲
Show ▼
The Microsoft Teams phishing campaign is giving unknown threat actors a reliable path to initial access in enterprise environments and to install remote access software for follow-on intrusion. Attackers use newly created or compromised tenants to send direct messages or place calls, impersonate IT help desk staff, and persuade targets to run tools such as AnyDesk, DWAgent, or Quick Assist. The resulting foothold is then used to seize control of victim systems and deliver payloads associated with credential theft, persistence, and remote code execution.
Related Happenings
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
Snow malware suite deployment by UNC6692
Malware Activity
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Microsoft Teams remote assistance abuse mitigation
Advisory/Mitigation
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
**Microsoft** issued mitigation guidance to curb **Teams-adjacent remote assistance abuse**, warning that external contacts should be treated as untrusted and that **remote assist...
Microsoft Teams remote assistance abuse mitigation
Advisory/MitigationAbout this happening: **Microsoft** issued mitigation guidance to curb **Teams-adjacent remote assistance abuse**, warning that external contacts should be treated as untrusted and that **remote assist...
External Microsoft Teams helpdesk-impersonation campaign
Campaign
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
External Microsoft Teams helpdesk-impersonation campaign
CampaignAbout this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Timeline
-
30.08.2025 15:06 2 articles · 9mo ago
Microsoft Teams phishing campaign uses help desk impersonation and remote access tools
Initial DisclosureUnknown threat actors are using newly created or compromised Microsoft Teams tenants to send direct messages or place calls to enterprise users, impersonate IT help desk staff or other trusted contacts, and persuade targets to install remote access software such as AnyDesk, DWAgent, or Quick Assist before taking control of victim systems and delivering payloads associated with credential theft, persistence, and remote code execution.
Show sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling — thehackernews.com — 30.08.2025 15:06
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling — thehackernews.com — 30.08.2025 15:06