In a concerning development, cybercriminals are exploiting Microsoft Teams and Quick Assist to gain unauthorized access to enterprise systems.
According to Trend Micro researchers, attackers are employing sophisticated social engineering techniques to trick users into granting remote access, enabling them to infiltrate networks and deploy malicious payloads.
The attack begins with email flooding campaigns, followed by direct contact through Microsoft Teams.
Impersonating IT support personnel, attackers manipulate victims into using Microsoft’s built-in Quick Assist tool, a legitimate remote assistance feature.
This tool allows attackers to gain full control of the victim’s device under the guise of troubleshooting.
Microsoft has previously flagged this tactic as a growing threat, particularly in ransomware campaigns.
Abuse of Remote Tools and Cloud Infrastructure
Once initial access is secured, attackers exploit legitimate tools like OneDriveStandaloneUpdater.exe to sideload malicious DLLs.
This technique enables the deployment of malware such as BackConnect, a persistent backdoor that facilitates data exfiltration and remote command execution.
The malware, linked to the notorious QakBot loader dismantled in 2023’s Operation Duckhunt, underscores the evolving tactics of ransomware groups like Black Basta and Cactus.
Trend Micro’s analysis reveals that attackers also leverage commercial cloud storage services to host and distribute malicious files.
By exploiting misconfigured or publicly accessible storage buckets, they blend their activities into normal enterprise workflows, making detection challenging.
Widespread Impact Across Regions and Industries
Since October 2024, North America has been the hardest hit by these attacks, with 21 breaches reported 17 of which occurred in the United States. Europe follows with 18 incidents.
Industries such as manufacturing, financial services, and real estate have been primary targets due to their reliance on remote collaboration tools.
The attack chain often involves lateral movement within compromised networks via Windows Remote Management (WinRM) and Server Message Block (SMB) protocols.
In some cases, attackers have even compromised ESXi hosts by deploying proxy malware like SystemBC after disabling critical system protections.
Trend Micro researchers have observed overlaps in tactics between Black Basta and Cactus ransomware groups, suggesting a possible shift in affiliations among threat actors.
Notably, BackConnect malware has become a key component in both groups’ arsenals for maintaining control over compromised systems.
To mitigate these threats, organizations are advised to enforce strict controls on remote assistance tools, train employees on social engineering tactics, and implement robust security measures for Microsoft Teams.
Proactive monitoring and adherence to security best practices can significantly reduce exposure to such attacks.
As cybercriminals continue to exploit legitimate tools for malicious purposes, enterprises must remain vigilant and adopt advanced threat detection capabilities to safeguard their networks against evolving ransomware campaigns.
