Quick, You Need Assistance!
Essential information
- Published
- 02/02/2026 10:52
- Modified
- 02/02/2026 11:06
- Tags
- 2026-02-02 amsi bypass cybercrime microsoft teams netsupport manager powershell powershell web-socket remote access trojan quick assist remote access trojan voice phishing
- Related entities
- 13 observables, 2 malware, 9 others
Description
A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.