Hackers Exploit Microsoft Teams & Quick Assist for Remote Access

Cybersecurity researchers have uncovered a sophisticated campaign in which threat actors are exploiting Microsoft Teams and Quick Assist to gain unauthorized remote access to enterprise systems.

The attacks, attributed to ransomware groups such as Black Basta and Cactus, demonstrate the growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks.

The attack chain begins with social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams.

Impersonating IT support staff, attackers persuade victims to grant them access through Microsoft’s built-in Quick Assist tool, which allows remote troubleshooting capabilities.

This approach enables attackers to blend malicious activity into normal workflows, making detection challenging.

Abuse of OneDrive Updater and BackConnect Malware

Once initial access is obtained, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process responsible for updating OneDrive.

By sideloading malicious DLLs, such as “winhttp.dll,” attackers establish persistent control over compromised systems.

The malicious DLL decrypts a backdoor embedded in a file named “settingsbackup.dat,” granting attackers remote command execution capabilities.

The campaign also involves the use of BackConnect malware, which facilitates command-and-control (C&C) communication with external servers.

Trend Micro researchers have linked this malware to the QakBot loader, previously dismantled in 2023 during “Operation Duckhunt.”

The resurgence of similar tactics highlights the adaptability of ransomware groups in adopting alternative methods post-takedown.

Widespread Impact Across Regions and Industries

According to threat intelligence data, the majority of incidents since October 2024 have occurred in North America (21 breaches), with the United States being the hardest hit (17 organizations affected).

Europe follows with 18 breaches, while Canada and the UK each reported five incidents. Manufacturing industries have been particularly targeted, alongside financial services and real estate sectors.

The attackers also leveraged cloud storage services to host and distribute malicious files, taking advantage of their widespread adoption and potential misconfigurations.

Files downloaded during the attacks were manipulated into archives containing malicious payloads that facilitated lateral movement across networks.

In addition to exploiting Quick Assist and OneDrive processes, threat actors employed tools like WinSCP for file transfers and used Windows Remote Management (WinRM) for executing commands across compromised devices.

In some cases, ESXi hosts were targeted by deploying proxy malware like “socks.out,” enabling attackers to disable system protections and execute unauthorized binaries.

Both Black Basta and Cactus ransomware groups have been observed utilizing these techniques.

Notably, internal leaks from Black Basta revealed operational details about their tactics and frustrations with bypassing advanced security solutions like Trend Micro XDR.

These leaks suggest potential shifts in affiliations among group members, with some reportedly transitioning to the Cactus ransomware operation.

Organizations are urged to strengthen defenses against such attacks by restricting remote assistance tools like Quick Assist, implementing strict access controls, and training employees on social engineering tactics.

Additionally, applying security best practices for Microsoft Teams and monitoring third-party integrations can help mitigate risks associated with impersonation attacks.

As ransomware groups continue to evolve their methods, proactive threat intelligence and robust cybersecurity measures remain critical in defending against these sophisticated campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.