{
  "name": "Quick, You Need Assistance!",
  "slug": "quick-you-need-assistance",
  "description": "A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.",
  "published": "2026-02-02T09:52:24+00:00",
  "created_at": "2026-02-02T09:52:24+00:00",
  "modified_at": "2026-02-02T10:06:43+00:00",
  "created_at_opencti": "2026-02-02T09:52:24+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-02",
    "amsi bypass",
    "cybercrime",
    "microsoft teams",
    "netsupport manager",
    "powershell",
    "powershell web-socket remote access trojan",
    "quick assist",
    "remote access trojan",
    "voice phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "162.252.172.245"
      },
      {
        "id": "",
        "name": "162.252.172.74"
      },
      {
        "id": "",
        "name": "164.173.252.162"
      },
      {
        "id": "",
        "name": "162.252.172.102"
      },
      {
        "id": "",
        "name": "165.172.252.162"
      },
      {
        "id": "",
        "name": "162.252.172.83"
      },
      {
        "id": "",
        "name": "162.252.172.16"
      },
      {
        "id": "",
        "name": "162.252.172.21"
      },
      {
        "id": "",
        "name": "162.252.174.119"
      },
      {
        "id": "",
        "name": "162.252.173.45"
      },
      {
        "id": "",
        "name": "149.154.158.86"
      },
      {
        "id": "",
        "name": "https://prosearium.net/setting.pdf"
      },
      {
        "id": "",
        "name": "https://aerobionix.com/generation.pdf"
      }
    ],
    "malware": [
      {
        "id": "4fdaffac-927c-436b-a363-95145293f4f8",
        "name": "NetSupport Manager",
        "slug": "netsupport-manager"
      },
      {
        "id": "legacy:malware:2f57dec316db1089",
        "name": "PowerShell web-socket remote access trojan",
        "slug": "powershell-web-socket-remote-access-trojan"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "khanvas.com"
      },
      {
        "id": "",
        "name": "mdbelaluddin.com"
      },
      {
        "id": "",
        "name": "ibizers.com"
      },
      {
        "id": "",
        "name": "aerobionix.com"
      },
      {
        "id": "",
        "name": "j4jobspk.com"
      },
      {
        "id": "",
        "name": "aeobionix.com"
      },
      {
        "id": "",
        "name": "prosearium.net"
      },
      {
        "id": "",
        "name": "flyskyenterprise.com"
      },
      {
        "id": "",
        "name": "maxolutions243.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/698081e8c82411d000808025",
    "https://fieldeffect.com/blog/quick-you-need-assistance"
  ]
}