Key Points
- Threat actors are exploiting Microsoft Teams to impersonate IT helpdesks, using built-in remote assistance features to gain direct access to enterprise systems.
- The attacks rely on “living off the land” techniques and user trust in collaboration platforms.
- IANS Faculty emphasize the need to eliminate legacy remote access tools, enforce strict identity verification for support interactions, and harden Teams configurations to reduce exposure.
Microsoft Teams Abused in Helpdesk Impersonation Attacks
Microsoft warned that threat actors are exploiting Teams to impersonate IT helpdesks and gain remote access to enterprise systems. The campaign combines social engineering with built-in remote assistance features to bypass traditional defenses.
The attacks typically begin with an unsolicited Teams message posing as internal support. The victims are then prompted to approve remote access sessions -- often through legacy tools like Quick Assist -- granting attackers direct control of their devices.
Once inside, attackers can conduct reconnaissance, escalate privileges and move laterally with little detection.
Microsoft said misconfigured Teams environments and legacy features significantly increase exposure. Organizations that have not enforced tenant restrictions or hardened remote access workflows also face elevated risk.
"When attackers are constrained by modern controls, they shift to 'living-off-the-land attacks. In this case, they abused a legacy Teams remote help component. They send a link, the user clicks it, and suddenly the attacker has a remote desktop.” Aaron Turner, IANS Faculty.
Big Picture
As enterprises harden endpoints and block traditional malware delivery, threat actors are increasingly turning to trusted tools already embedded in daily workflows as a new attack vector.
"I’m not surprised by any of this. This is a classic social engineering attack with a tool in the mix. There’s a level of familiarity [with Teams] that the attackers are taking advantage of.” Dave Shackleford, IANS Faculty.
That familiarity -- and implicit trust -- has made collaboration platforms like Teams a high-value target. Users are conditioned to respond quickly to messages, creating a situation where impersonation can succeed without raising suspicion.
These attacks do not rely on new vulnerabilities. Instead, they exploit legacy functionality and weak configuration hygiene that persist in many environments.
"This is another case where attackers are taking advantage of organizations that really aren’t following hygienic best practices. Well-configured defense tools and EDR should be able to catch a lot of this stuff.” Dave Shackleford, IANS Faculty.
For enterprise security leaders, the risk is about how trusted platforms, identity workflows, and configuration gaps are converging into a highly effective access pathway.
IANS Faculty Recommendations
- Standardize remote support tooling: Restrict all remote assistance to Teams Remote Help and configure it to operate only between authorized users within the same Entra ID tenant.
- Eliminate legacy remote access tools: Block Quick Assist outright across the environment; there are few legitimate use cases, and it lacks modern authentication controls.
- Enforce helpdesk identity verification: Implement structured, multi-step user verification workflows for all IT support interactions, especially those involving remote access.
- Require out-of-band validation: Train employees to confirm IT requests through secondary channels before granting access or taking action.
- Monitor for living off the land activity: Tune EDR and XDR detections to flag unusual use of built-in administrative tools and rarely used executables.
Authors & Contributors
Hayley Starshak, Author, IANS News
Dave Shackleford, IANS Faculty
Aaron Turner, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.