The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams. The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network.
Social engineering via IT Support impersonation is not a new threat, but the recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter. While a cautious user might notice an "External" tag on the chat, the inherent trust placed in collaboration tools often overrides standard security instincts, granting TAs a direct, high-trust channel to your end users.
Threat overview
The attack we’ve observed typically follows a specific sequence of events:
Initial contact: The threat actor sends spoofed Microsoft Teams chat requests to multiple users within an environment, simultaneously. These often appear to come from "IT Support," "System Admin," or other spoofed internal aliases.
Engagement: Once a user accepts the chat request, the threat actor initiates a conversation under the pretext of IT support offering computer support, such as "fixing a technical issue" or "performing a security update."
Exploitation: The threat actor requests the user to launch Quick Assist. Once the connection is established, the TA gains remote access to the machine, allowing them to deploy malware, exfiltrate data, or move laterally through the network.
What you should do now
To protect your environment from this activity, Rapid7 recommends the following technical controls:
Harden Microsoft Teams settings
In the Teams Admin Center, limit external communications to "Only allowed domains." This prevents random external tenants from messaging your employees unless they are on an approved allowlist. In addition, Rapid7 recommends disabling the ability for users to communicate with external Teams users who are not managed by an organization.
If your business doesn't require cold outreach from external vendors, toggle off "Allow External Users to Start Conversations" to ensure only your users can initiate outside chats. If your business does require this functionality more broadly, consider implementing Spoof Intelligence.
Implement automatic blocking of spoofed Teams messages
Enable Spoof Intelligence within your Microsoft 365 security settings. This feature automatically detects and blocks senders who are not who they claim to be. This feature works by identifying and managing senders that fail SPF/DKIM/DMARC. If you have known senders who don’t have these configured, ensure you set the appropriate exceptions.
Disable/harden Quick Assist
Rapid7 recommends removing or disabling Microsoft Quick Assist if it is not required within your environment. This can be achieved via Group Policy Object (GPO) blocking the application, blocking network traffic to the Quick Assist domain, or uninstalling the Quick Assist package.
Watch for red flags
Train staff to recognize these specific "Teams spoofing" hallmarks:
The "external" tag: Remind users to look for the (external) tag next to a name. Real internal IT support will never have this tag.
Sense of urgency: Attackers often claim there is a "security breach" or "expired password" to rush the user into bypassing safety protocols.
Out-of-band verification: Establish a policy that IT will never initiate a support session via a cold-call Teams chat without a pre-existing ticket number. If a user is unsure, IT should have a pre-established process in place for a user to validate the requestor’s identity.
Rapid7 customers
We are continually monitoring your environment for related activity. Below is a non-exhaustive list of detections that are deployed:
Suspicious Chat Request - Potential Social Engineering Attempt
Suspicious Conversation - Potential Social Engineering Message Interaction
Initial Access - Potential Social Engineering Session Initiated Following Chat Request
Suspicious Chat Request - Multiple Users Contacted by Foreign Tenant via Default Tenant Domain
Initial Access - Microsoft Teams Remote Control Granted to Suspicious External Account
Rapid7 MDR is here to support your team, strengthen your defenses, and help you stay ahead of adversaries attempting to use this tactic to gain access to your environment. Learn more about our service here.
