Microsoft Detection and Response Team details a sophisticated voice phishing (vishing) campaign that successfully compromised a corporate environment in November 2025. Unlike conventional intrusions that rely on software exploits, this attack weaponized trust, collaboration platforms, and built-in Windows tooling to gain initial access.
The threat actor initiated the campaign by impersonating IT support personnel through Microsoft Teams voice calls, a technique increasingly favored for its legitimacy and low technical barrier.
After two failed social engineering attempts against separate employees, the attacker succeeded on the third try, convincing a user to grant remote access through Quick Assist, Microsoft’s built-in remote assistance utility.
This persistence in targeting multiple individuals before success reflects a calculated, human-operated approach. The attacker leveraged the inherent trust employees place in internal IT communications, creating a false sense of urgency that bypassed the target’s caution.
Post-Compromise Execution Chain
Once remote interactive access was established via Quick Assist, the threat actor pivoted from social engineering to hands-on keyboard activity.
The compromised user was directed to a threat actor-controlled website that hosted a spoofed credential-harvesting form. Browser history and Quick Assist session artifacts confirmed that corporate credentials were entered into this fake portal, triggering a multi-stage payload delivery chain.
The initial payload was a disguised Microsoft Installer (MSI) package that sideloaded a malicious Dynamic Link Library (DLL) using trusted Windows mechanisms, a classic living-off-the-land technique that allows malicious code execution under the guise of legitimate software processes. This established outbound command-and-control (C2) connectivity.
Subsequent payloads expanded the attacker’s foothold significantly:
Encrypted loaders to evade detection and deliver secondary stages
Remote command execution via standard administrative tooling to blend with normal enterprise traffic
Proxy-based connectivity to obscure threat actor infrastructure and origin
Session hijacking capabilities enabling sustained, identity-level control over the environment
The attack was deliberately designed to mimic legitimate enterprise activity, minimizing the likelihood of triggering security alerts during the intrusion window.
Upon customer notification, Microsoft DART immediately confirmed the compromise originated from the Teams vishing interaction and prioritized preventing identity or directory-level escalation.
Investigation established that the intrusion was short-lived and limited in scope. The team executed targeted eviction procedures, applied tactical containment controls to restrict lateral movement, and validated the absence of persistence mechanisms before declaring the incident resolved.
DART issued several actionable recommendations for organizations to reduce exposure to similar identity-first attacks:
Restrict inbound Teams communications from unmanaged or unverified external accounts, implementing an allowlist of trusted external domains
Audit and inventory remote monitoring and management (RMM) tools, disabling utilities like Quick Assist where not operationally required
Conduct vishing awareness training that specifically addresses IT impersonation scenarios within collaboration platforms
Enable conditional access policies and session-based anomaly detection to flag unusual remote access activity
This incident underscores a critical shift in threat actor methodology: exploiting human trust rather than software flaws. As collaboration platforms become primary attack surfaces, defenders must evolve detection capabilities beyond endpoint telemetry to encompass identity behavior, communication patterns, and tool misuse.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Teams Support Call Leads to Quick Assist Compromise in New Vishing Attack appeared first on Cyber Security News.
