FlagThis

Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.

Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures.

ImgSrc: blogger.googleu

References :

• gbhackers.com: Hackers Exploit Microsoft Teams & Quick Assist for Remote Access
• www.bleepingcomputer.com: Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
• www.cysecurity.news: Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

Classification:

• HashTags: #Malware #Cyberattack #Ransomware
• Company: Microsoft
• Target: Microsoft Teams Users
• Product: Microsoft Teams
• Feature: Remote Access
• Malware: Quick Assist
• Type: Malware
• Severity: Major