Microsoft Teams Support Call Leads to Quick Assist Compromise in New Vishing Attack

The Microsoft Detection and Response Team talks about a complex voice phishing (vishing) campaign that broke into a business setting in November 2025 This article explores voice phishing vishing. . This attack used trust, collaboration tools, and built-in Windows tools to get in, which is different from most intrusions that use software exploits.

The threat actor started the campaign by pretending to be IT support staff over Microsoft Teams voice calls. This is a method that is becoming more popular because it is more believable and easier to use. The attacker tried to trick two different employees into giving them remote access through Quick Assist, Microsoft's built-in remote assistance tool. The third time was the charm.

The fact that they keep going after different people until they get what they want shows that they are using a planned, human-run method.

The attacker took advantage of the trust that employees have in internal IT communications to create a false sense of urgency that made the target less careful. Execution Chain After the Compromise After getting remote interactive access through Quick Assist, the threat actor switched from social engineering to hands-on keyboard work. The hacked user was sent to a website controlled by a threat actor that had a fake credential-harvesting form on it.

Browser history and Quick Assist session artifacts showed that corporate credentials were entered into this fake portal, which set off a chain of events that delivered a multi-stage payload. The first payload was a fake Microsoft Installer (MSI) package that used trusted Windows methods to sideload a harmful Dynamic Link Library (DLL). This is a common living-off-the-land technique that lets malicious code run as if it were legitimate software processes.

This set up outbound command-and-control (C2) connectivity. Later payloads gave the attacker a much bigger foothold: Encrypted loaders to avoid being found and send secondary stages Using standard administrative tools to run commands from a distance so they blend in with regular business traffic Proxy-based connections to hide the infrastructure and origin of threat actors Session hijacking features that let you keep control of the environment at the identity level for a long time The attack was planned to look like real business activity, which made it less likely that security alerts would go off during the intrusion window. When a customer told Microsoft DART about the breach, they quickly confirmed that it came from the Teams vishing interaction and made stopping identity or directory-level escalation their top priority.

The investigation showed that the intrusion was short-lived and not very widespread.

The team used targeted eviction procedures, tactical containment controls to keep people from moving sideways, and checked for the absence of persistence mechanisms before saying the incident was over. DART made a number of suggestions that organizations could use to protect themselves from similar identity-first attacks: Limit incoming Teams can only talk to unmanaged or unverified external accounts if they are on a list of trusted external domains. Audit and inventory remote monitoring and management (RMM) tools, and turn off utilities like Quick Assist when they are not needed for work.

Give people who work with IT impersonation training that is specific to collaboration platforms. Set up conditional access policies and session-based anomaly detection to flag strange remote access activity. This event shows a big change in how threat actors work: they are now using people's trust instead of software flaws.

As collaboration platforms become major targets for attacks, defenders need to improve their detection skills so that they can spot identity behavior, communication patterns, and tool misuse., LinkedIn, and X for daily news about cybersecurity. Get in touch with us to have your stories featured.