Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist
Essential information
- Published
- 03/12/2025 09:29
- Modified
- 21/12/2025 18:18
- Tags
- 2025-12-03 credential-theft infostealer microsoft teams phishing quick assist reconnaissance social engineering
- Related entities
- 11 techniques (mitre), 1 others
Description
A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack involved multiple stages, including phishing, malware deployment, and reconnaissance activities. An infostealer named 'updater.exe' was downloaded and executed during the process. The incident highlights the evolving tactics of cybercriminals exploiting legitimate collaboration platforms for malicious purposes. Organizations are advised to implement strict security measures, including disabling the feature through Teams Messaging Policies and adopting two-factor authentication and Zero Trust models.