216.73.216.86

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

· Published 03/12/2025 09:29 · Modified 21/12/2025 18:18

Export JSON

Essential information

Published
03/12/2025 09:29
Modified
21/12/2025 18:18
Tags
2025-12-03 credential-theft infostealer microsoft teams phishing quick assist reconnaissance social engineering
Related entities
11 techniques (mitre), 1 others

Description

A sophisticated attack utilizing ' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating sessions, ultimately leading to credential theft and potential data exfiltration. The attack involved multiple stages, including , malware deployment, and activities. An named 'updater.exe' was downloaded and executed during the process. The incident highlights the evolving tactics of cybercriminals exploiting legitimate collaboration platforms for malicious purposes. Organizations are advised to implement strict security measures, including disabling the feature through Teams Messaging Policies and adopting two-factor authentication and Zero Trust models.

External references