- Microsoft warns Teams users about scammers abusing tenant-to-tenant chat feature
- Attackers impersonate IT staff and trick victims into granting remote access via Quick Assist.
- Once inside, they use reliable tools to move laterally, install Rclone, and exfiltrate sensitive company data.
Microsoft has warned Teams users about fraudsters using the platform to access their corporate networks, deploy malicious code and steal sensitive data.
In a new in-depth security advisory released over the weekend, Microsoft said it has spotted fraudsters using the tenant-to-tenant feature to initiate a conversation even if they are not part of the victim’s organization.
They pose as IT or help desk staff and attempt to convince their victims to grant them remote access to their computers using legitimate tools such as Quick Assist.
Article continues below
Does not trigger alarms
Quick Assist is an integrated Windows remote desktop management application that allows users to provide or receive technical assistance remotely.
Once they gain access, fraudsters run legitimate, trusted programs but modify them to run malicious code. From there, they move across the corporate network using built-in tools such as Windows Remote Management to reach important systems, such as domain controllers.
“From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally throughout the enterprise and prepare for exfiltration of sensitive data, often blending in with routine IT support activities throughout the intrusion lifecycle,” the company said.
Microsoft also said it observed attackers installing common remote management tools and programs, such as Rclone, to collect and upload company data to cloud storage.
This technique apparently works well because it relies on real tools and normal computer processes. Victims see no red flags, and IT and support teams are not alerted to extraordinary or suspicious activity. Instead of phishing emails, attackers use Teams messages, which can look like legitimate internal communications.
Although Teams displays warnings when someone outside the company attempts to make contact, it appears that victims ignored the warnings and agreed to provide access anyway. Once gained, attackers can quickly spread across the network, install more tools, and collect sensitive data. The exact steps may vary, but the goal is generally to maintain access and steal valuable information.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
