Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A campaign abusing external Microsoft Teams collaboration is letting attackers impersonate IT/helpdesk staff, gain remote access, and stage targeted data exfiltration across enterprise networks. The same attack chain has appeared in multiple intrusions, making the activity a repeatable enterprise intrusion risk. The operators rely on Quick Assist, WinRM, and Rclone to blend into normal support and administration. That legitimate-tool abuse makes follow-on malicious activity harder to detect.

Related Happenings

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

Deed RAT and TernDoor multi-wave deployment

Malware Activity
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Timeline

  1. 20.04.2026 18:11 2 articles · 1mo ago

    Microsoft warns of Teams helpdesk impersonation used for remote access and exfiltration

    Initial Disclosure

    Microsoft warns that threat actors are abusing external Microsoft Teams collaboration against enterprise users by posing as IT or helpdesk personnel, coaxing victims into granting Quick Assist remote access, then using Command Prompt, PowerShell, DLL side-loading, Windows Registry persistence, Windows Remote Management (WinRM), and Rclone to move laterally and stage sensitive files for exfiltration to external cloud storage. Microsoft also advises treating external Teams contacts as untrusted, restricting remote assistance tools, limiting WinRM to controlled systems, and watching for the Teams security warnings that flag outside communications and potential phishing attempts.

    Show sources
    Open in new tab