Find notable cyber news and cases, enriched with sources, timelines, and signals.

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A campaign abusing external Microsoft Teams collaboration is letting attackers impersonate IT/helpdesk staff, gain remote access, and stage targeted data exfiltration across enterprise networks. The same attack chain has appeared in multiple intrusions, making the activity a repeatable enterprise intrusion risk. The operators rely on Quick Assist, WinRM, and Rclone to blend into normal support and administration. That legitimate-tool abuse makes follow-on malicious activity harder to detect.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints

Defensive Guidance
First: 08.07.2026 20:02 Last: 08.07.2026 20:02 Sources 1

About this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Timeline

  1. 20.04.2026 18:11 2 articles · 2mo ago

    Microsoft warns of Teams helpdesk impersonation used for remote access and exfiltration

    Initial Disclosure

    Microsoft warns that threat actors are abusing external Microsoft Teams collaboration against enterprise users by posing as IT or helpdesk personnel, coaxing victims into granting Quick Assist remote access, then using Command Prompt, PowerShell, DLL side-loading, Windows Registry persistence, Windows Remote Management (WinRM), and Rclone to move laterally and stage sensitive files for exfiltration to external cloud storage. Microsoft also advises treating external Teams contacts as untrusted, restricting remote assistance tools, limiting WinRM to controlled systems, and watching for the Teams security warnings that flag outside communications and potential phishing attempts.

    Show sources