Defending Against Microsoft Teams Social Engineering and Quick Assist Phishing Campaigns

Introduction

Social engineering remains one of the most effective attack vectors for cybercriminals, primarily because it targets the human element rather than technical vulnerabilities. Recently, the Rapid7 Managed Detection and Response (MDR) team observed a significant surge in campaigns where threat actors leverage Microsoft Teams to impersonate internal IT departments.

Unlike traditional email-based phishing, these attacks exploit the inherent trust users place in internal collaboration platforms. The attackers' goal is to manipulate users into launching "Quick Assist," a legitimate Windows tool, which grants the attacker remote access to the device. From there, they can deploy malicious payloads, exfiltrate sensitive data, or move laterally across the network. For defenders, understanding this shift from email to chat-based phishing is critical to closing the security gaps in communication channels.

Technical Analysis

The attack chain begins with the abuse of default Microsoft Teams configurations. By default, Teams often permits external users to message internal staff provided they know the email address. This effectively creates a communication pathway that bypasses traditional email gateway filters.

Attack Vector:

1. Initial Contact: A threat actor, posing as an external user or a compromised internal account, initiates a chat with a target employee.
2. Impersonation: The attacker claims to be from the IT Support or Helpdesk department, often citing urgent issues such as password resets or software updates.
3. Manipulation: The victim is persuaded to open the built-in Windows Quick Assist application (previously known as Windows Remote Assistance).
4. Compromise: The victim provides a session code to the attacker, granting them remote control of the endpoint.

Affected Systems:

• Microsoft Teams: The delivery mechanism. The vulnerability lies in the configuration allowing unverified external communications.
• Microsoft Quick Assist: The exploitation tool. While legitimate, its abuse allows for full remote control.
• Windows Endpoints: The ultimate target for malware execution and data theft.

Severity: High. This attack bypasses standard email defenses (SPF/DKIM/DMARC) and exploits user trust in internal tools. It leads directly to initial access and potential hands-on-keyboard activity by the threat actor.

Defensive Monitoring

Detecting this threat requires monitoring for the execution of specific administrative tools combined with contextual awareness of Teams usage. Below are detection rules and hunts for SIGMA, Microsoft Sentinel, and Velociraptor.

SIGMA Detection Rules

---
title: Quick Assist Execution
id: 8d5504b2-1f2e-4c5e-9e1a-3d4c5e6f7a8b
status: experimental
description: Detects the execution of Microsoft Quick Assist. While legitimate, it is increasingly used by threat actors for remote access during social engineering campaigns.
references:
  - https://www.rapid7.com/blog/post/dr-guidance-on-observed-microsoft-teams-phishing-campaigns
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.remote_services
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\QuickAssist.exe'
      - '\ms-quick-assist.exe'
    OriginalFileName|contains:
      - 'QuickAssist.exe'
condition: selection
falsepositives:
  - Legitimate IT support activities
level: medium
---
title: Suspicious Child Process of Quick Assist
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects suspicious processes spawned by Quick Assist, such as PowerShell or CMD, which may indicate post-exploitation activity.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\QuickAssist.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\pwsh.exe'
condition: selection
falsepositives:
  - Rare; legitimate IT troubleshooting usually does not require Shells via Quick Assist
level: high

KQL (Microsoft Sentinel / Defender)

// Hunt for Quick Assist execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath contains @"QuickAssist" or FileName == "QuickAssist.exe"
| project Timestamp, DeviceName, AccountName, FolderPath, InitiatingProcessFileName
| order by Timestamp desc

// Correlate Teams Sign-in anomalies with Quick Assist usage (IdentityLogs + DeviceEvents)
// Note: Requires specific audit policies enabled for Teams logins
SigninLogs
| where AppDisplayName contains "Microsoft Teams"
| where ResultType == 0
| join kind=inner DeviceProcessEvents on $left.DeviceDetail.DeviceId == $left.DeviceId
| where FileName == "QuickAssist.exe"
| project Timestamp, UserPrincipalName, DeviceName, IPAddress, Location

Velociraptor VQL

-- Hunt for recent Quick Assist execution on endpoints
SELECT Pid, Name, Exe, CommandLine, Username, CreateTime
FROM process_history()
WHERE Exe =~ "QuickAssist"
  AND CreateTime > now() - 7d

-- Hunt for network connections established by Quick Assist
SELECT Name, Pid, RemoteAddr, RemotePort, State
FROM listen_sockets()
WHERE Name =~ "QuickAssist"

PowerShell Remediation Verification

<#
.SYNOPSIS
    Checks for the presence and recent execution of Quick Assist.
.DESCRIPTION
    This script queries the Appx package status and recent event logs for Quick Assist execution.
#>

# Check if Quick Assist is installed
Get-AppxPackage -Name *QuickAssist* | Select-Object Name, Version, InstallLocation, Status

# Check for recent Quick Assist execution events (Requires Admin)
Write-Host "Checking for recent Quick Assist executions in the last 24 hours..."
Get-WinEvent -LogName Microsoft-Windows-Kernel-Process/Analytic -FilterXPath "*[System[(EventID=1)]] and *[EventData[Data[@Name='ImageName'] and (contains(string(),'QuickAssist'))]]" -ErrorAction SilentlyContinue | 
Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) } | 
Select-Object TimeCreated, Id, ProcessId, Message | Format-List

Remediation

To protect your organization from these Teams-based social engineering attacks, Security Arsenal recommends the following defensive measures:

1. Restrict External Teams Access:

   • Navigate to the Teams Admin Center > Users > External access.
   • Configure the "External meeting settings" and "External chat settings" to block or restrict communications with unmanaged domains.
   • Consider requiring a federation whitelist, allowing only known partner domains to contact your users.

2. User Awareness and Training:

   • Immediately notify users of this specific campaign.
   • Reinforce the policy that IT support will never ask users to install remote access tools like Quick Assist via an unsolicited Teams chat.
   • Train users to verify the "External" tag in Teams and to contact IT via a known, separate channel (e.g., a ticket system or phone call) to verify requests.

3. **Application Control (AppLocker/WDAC):

   • If Quick Assist is not required for business operations, consider blocking the execution of quickassist.exe via Application Whitelisting policies.
   • Alternatively, use PowerShell to remove the application from corporate images: powershell

        Get-AppxPackage -Name *QuickAssist* | Remove-AppxPackage

4. Monitor for Remote Access Protocols:
   • Ensure logging is enabled for remote access tools. Implement alerts for the execution of Quick Assist, TeamViewer, or AnyDesk outside of approved maintenance windows.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub