Near Miss: External Teams Calls and Quick Assist Exploited in Phishing Attack

In a recent incident, an organization narrowly avoided a cyber attack after employees received external Teams calls from a domain associated with *.onmicrosoft.com. The attackers impersonated the IT department and convinced one employee to launch Quick Assist for a remote session. Fortunately, the organization's response was swift: they disabled external access to Teams, blocked Quick Assist, and contacted their Managed Detection and Response (MDR) provider. Further analysis using Defender Timeline revealed an attempt to execute PowerShell scripts, which was successfully blocked by Applocker. This incident underscores the continued threat of phishing and social engineering attacks, which remain effective due to their reliance on human psychology rather than technical vulnerabilities. The use of external Teams calls and Quick Assist highlights the importance of monitoring and restricting external access to communication and remote assistance tools. The successful blocking of PowerShell execution by Applocker demonstrates the value of application whitelisting in preventing malicious activities. Organizations should consider implementing multi-layered security measures, including endpoint protection, application whitelisting, and robust incident response plans. Regular employee training and awareness programs are crucial to mitigate the risk of social engineering attacks. Additionally, leveraging MDR services can provide continuous monitoring and rapid response capabilities, enhancing overall security posture.