External Microsoft Teams helpdesk-impersonation campaign
Campaign
Summary
Hide ▲
Show ▼
A campaign abusing external Microsoft Teams collaboration is letting attackers impersonate IT/helpdesk staff, gain remote access, and stage targeted data exfiltration across enterprise networks. The same attack chain has appeared in multiple intrusions, making the activity a repeatable enterprise intrusion risk. The operators rely on Quick Assist, WinRM, and Rclone to blend into normal support and administration. That legitimate-tool abuse makes follow-on malicious activity harder to detect.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive Guidance
First: 08.07.2026 20:02
Last: 08.07.2026 20:02
Sources 1
About this happening:
AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive GuidanceAbout this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware Activity
H score33
First: 24.06.2026 13:41
Last: 24.06.2026 13:41
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Timeline
-
20.04.2026 18:11 2 articles · 2mo ago
Microsoft warns of Teams helpdesk impersonation used for remote access and exfiltration
Initial DisclosureMicrosoft warns that threat actors are abusing external Microsoft Teams collaboration against enterprise users by posing as IT or helpdesk personnel, coaxing victims into granting Quick Assist remote access, then using Command Prompt, PowerShell, DLL side-loading, Windows Registry persistence, Windows Remote Management (WinRM), and Rclone to move laterally and stage sensitive files for exfiltration to external cloud storage. Microsoft also advises treating external Teams contacts as untrusted, restricting remote assistance tools, limiting WinRM to controlled systems, and watching for the Teams security warnings that flag outside communications and potential phishing attempts.
Show sources
- Microsoft: Teams increasingly abused in helpdesk impersonation attacks — www.bleepingcomputer.com — 20.04.2026 18:11
- Microsoft: Teams increasingly abused in helpdesk impersonation attacks — www.bleepingcomputer.com — 20.04.2026 18:11