**Microsoft** is warning of a concerning trend: threat actors are increasingly abusing external **Microsoft Teams** collaboration features. They are impersonating IT or helpdesk staff and leveraging legitimate tools to gain access and move laterally within enterprise networks. These attackers contact employees through cross-tenant chats, posing as support personnel. They then manipulate users into providing remote access, ultimately leading to data theft. Microsoft has observed multiple intrusions following a similar attack chain. These attacks frequently involve commercial remote management software, such as Quick Assist, and the **Rclone** utility to transfer files to external cloud storage services. The tech giant emphasizes that the subsequent malicious activity is often difficult to distinguish from normal operations due to the heavy reliance on legitimate applications and native administrative protocols. "Threat actors are increasingly abusing external **Microsoft Teams** collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access," Microsoft stated. "From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle," the company added. ### Multi-stage Attack In a recent report, **Microsoft** detailed a nine-stage attack chain. It begins with the threat actor contacting the target via an external **Teams** chat, impersonating a member of the company's IT staff and claiming the need to address an account issue or perform a security update. The ultimate goal is to persuade the target to initiate a remote support session, typically through Quick Assist, granting the attacker direct control over the employee's machine.  From there, the attacker conducts rapid reconnaissance using Command Prompt and PowerShell, assessing privileges, domain membership, and network reachability to evaluate potential for lateral movement. Next, they deploy a small payload bundle in user-writable locations such as ProgramData. They execute the malicious code through a trusted, signed application (e.g., **Autodesk**, **Adobe Acrobat/Reader**, Windows Error Reporting, data loss prevention software) via DLL side-loading. The HTTPS-based communication to the command-and-control (C2) server, established in this manner, blends seamlessly into normal outbound traffic, making detection more challenging. With the infection established and persistence secured through Windows Registry modifications, the attacker proceeds to abuse Windows Remote Management (WinRM) to move laterally across the network. This targets domain-joined systems and high-value assets such as domain controllers. They then deploy additional remote management software tools onto reachable systems and utilize **Rclone** or similar tools to collect and exfiltrate sensitive data to external cloud storage points.  Microsoft notes that this exfiltration step is highly targeted, employing filters to focus exclusively on valuable information, reduce transfer volume, and enhance operational stealth. Microsoft urges users to treat external **Teams** contacts as untrusted by default. The company also recommends that administrators restrict or closely monitor remote assistance tools and limit WinRM usage to controlled systems. Furthermore, the company highlights the **Teams** security warnings that explicitly flag communications from individuals outside the organization and potential phishing attempts.