Listen to this Post

Introduction:
In a sophisticated evolution of social engineering tactics, threat actors are now abusing legitimate remote access tools to breach enterprise networks. Recent campaigns, notably those linked to the ransomware group Storm-1811, have demonstrated how attackers are combining voice phishing (vishing) with trusted applications like Microsoft Teams and Microsoft Quick Assist to deploy ransomware. By impersonating IT support, these criminals trick employees into granting them direct access to their machines, bypassing traditional security measures that focus on malicious files or external links. This article breaks down the attack chain and provides a technical, step-by-step guide on how to detect, mitigate, and harden your environment against these emerging threats.
Learning Objectives:
- Understand the attack chain of vishing-enabled ransomware using Microsoft Teams and Quick Assist.
- Learn how to identify malicious activity within legitimate remote access logs.
- Implement security configurations to block the misuse of collaboration and support tools.
You Should Know:
1. The Anatomy of the Storm-1811 Attack
The campaign begins with a simple phone call. The attacker, posing as a helpdesk technician from the victim’s company, contacts an employee. They claim there is a critical issue with the user’s computer, such as a network outage or security update, that requires immediate remote assistance to resolve.
To make the request seem legitimate, the attacker sends a Microsoft Teams chat request or an email calendar invite that contains a link to join a Quick Assist session. Quick Assist is a legitimate Windows application used by IT departments for troubleshooting. When the user enters the code provided by the attacker, they inadvertently grant the attacker full control over their desktop.
Step‑by‑step guide explaining what this does and how to use it (Defender Perspective):
To investigate if this activity has occurred in your environment, you must analyze Unified Audit Logs.
1. Access Microsoft 365 Defender: Navigate to Advanced Hunting.
2. Identify Quick Assist Usage: Run the following KQL query to find successful Quick Assist sessions initiated from external or suspicious sources:
DeviceProcessEvents | where FileName == "QuickAssist.exe" | where InitiatingProcessAccountName != "SYSTEM" // Focus on user-initiated sessions | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine
3. Correlate with Teams Activity: Hunt for Teams messages containing the string “Quick Assist” or “support.microsoft.com” from external tenants.
TeamsUserActivity | where Message contains "quickassist" or Message contains "support.microsoft.com" | where IsExternalUser == true
2. Post-Exploitation: The “Black Basta” Deployment
Once the attacker gains control via Quick Assist, they act quickly. They disable the victim’s antivirus software, often using simple PowerShell commands to bypass User Account Control (UAC). From there, they deploy Cobalt Strike beacons to establish persistence and finally execute the ransomware payload, often identified as “Black Basta.”
Step‑by‑step guide explaining what this does and how to use it (Detection):
Monitor for the immediate post-access behavior.
- Check for AV Tampering: On a compromised machine, attackers often attempt to disable Windows Defender.
Windows Command (Attacker Simulation):
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Detection (PowerShell – Defender): Look for Event ID 5001 (Real-time protection disabled).
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=5001} -MaxEvents 10 | Format-List
2. Monitor for LOLBins (Living-off-the-Land Binaries): After access, attackers use tools like `rundll32.exe` or `regsvr32.exe` to download payloads.
Linux Command (Sifting through Sysmon logs via Splunk/ELK):
If you ship Windows logs to a Linux-based SIEM, you can grep for suspicious parent-child relationships:
cat syslog.json | grep "QuickAssist.exe" | grep -E "rundll32|regsvr32|powershell"
3. Hardening Microsoft Teams Against External Invasions
The primary attack vector relies on the attacker’s ability to contact the victim from an external tenant. Organizations must restrict this capability to only trusted domains.
Step‑by‑step guide explaining what this does and how to use it (Hardening):
1. Open Teams Admin Center: Go to `Users` > External access.
2. Manage External Access: Change the setting from “Allow all external domains” to “Block all external domains” OR “Allow only specific external domains” (add your partner companies’ domains here).
3. Enable Safe Links: In Microsoft Defender for Office 365, configure Safe Links policies to block known malicious links. Ensure that URLs pointing to `quickassist.support.microsoft.com` are specifically monitored for unusual activity, though blocking them outright would hinder legitimate IT support.
Note: As a defender, you cannot block the Quick Assist URL entirely, but you can scan it for malicious intent.
4. Blocking Unauthorized Remote Access
While Quick Assist is a Windows feature, its execution can be controlled via AppLocker or Windows Defender Application Control (WDAC) for high-security environments.
Step‑by‑step guide explaining what this does and how to use it (Hardening):
To prevent non-IT staff from using Quick Assist, create an AppLocker rule.
1. Open `Local Security Policy` (`secpol.msc`).
- Navigate to `Application Control Policies` > `AppLocker` >
Executable Rules. - Create a new rule with the following parameters:
– Action: Deny
– User: Everyone
– Path: `%WINDIR%\System32\QuickAssist.exe`
4. Caution: Ensure your IT helpdesk users are in a separate group that is excluded from this rule, or they will be unable to use the tool for legitimate support.
5. API Security and Cloud Hardening (Contextual)
In this specific attack chain, after compromising a machine via Quick Assist, the attackers look for stored credentials in browsers or the Windows Credential Manager to pivot to cloud resources. They specifically target tokens that can interact with Graph API to read email or access SharePoint.
Step‑by‑step guide explaining what this does and how to use it (Mitigation):
1. Implement Conditional Access Policies: In Azure AD, create a policy that requires re-authentication for high-risk sessions, especially if an IP address changes rapidly (indicating a Cobalt Strike proxy).
– Go to Azure AD > Security > Conditional Access.
– Create a policy targeting “All users.”
– Under Conditions > “Sign-in risk,” set to “High.”
– Under Access Controls > Grant, select “Require multifactor authentication.”
2. Revoke Sessions: If a compromise is suspected, immediately revoke all refresh tokens for the user using PowerShell:
Connect-AzureAD Get-AzureADUser -SearchString "[email protected]" | Revoke-AzureADSignedInUserAllRefreshToken
What Undercode Say:
- Trust is the New Attack Vector: Firewalls and antivirus are ineffective against an attack where the user voluntarily invites the attacker inside. Security awareness training must evolve to teach users that not every “helpful” IT call is genuine, even if it uses trusted tools.
- Zero Trust for Collaboration: Organizations must treat internal communication tools as internet-facing services. Strict controls on external communications, combined with rigorous logging and monitoring of tools like Quick Assist, are no longer optional but a core part of a robust security posture. The abuse of legitimate tools highlights the need to monitor behavior, not just binaries.
Prediction:
As Microsoft and other vendors tighten security around email phishing, attackers will continue to pivot to collaboration platforms (Slack, Teams, Zoom) and remote management tools. We predict a rise in “helpdesk impersonation” attacks where AI-generated deepfake audio is used during the vishing call to further lower the victim’s guard. Consequently, the industry will see a push toward “phishing-resistant” authentication methods, where even if an attacker controls the desktop, they cannot perform privileged actions without hardware-bound keys.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Philipp Kozin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


