News
Microsoft Uncovers Hackers Posing as IT Helpdesk Staff
By Sean Parker
Microsoft issued a report warning users about a popular attack method that involves a "human-operated" attack playbook, in which hackers impersonate IT helpdesk staff using Microsoft Teams to gain access to company systems and steal data.
The hackers' modus operandi, according to the report, "Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook,"surprisingly doesn't involve phishing; instead, they pose as internal IT or support staff and initiate contact via cross-tenant Microsoft Teams chats.
The hackers' attack chain relies on convincing users to bypass several security warnings and voluntarily grant remote access through legitimate support tools.
"In observed intrusions, risk is introduced not by external messaging alone, but when a user approves follow‑on actions -- such as launching a remote assistance session -- that result in interactive system access," the report says.
The intruders convince users to start remote support sessions using tools such as Quick Assist. Crucially, access is user-approved and strictly compromised via hacking.
Once the door was opened, Microsoft found that hackers ran trusted applications and used standard admin protocols, such as WinRM, to blend with normal IT operations. The result is that there's little malware and the attack hide inside normal system activity.
The attackers move swiftly and pivot from one system to another, targeting high-value assets like domain controllers. They expand access quickly after initial entry and Microsoft found that a single compromised user can lead to wider network access.
The hackers are adamant in stealing data without obvious signs of intrusion and focus on gathering sensitive business data while files are moved to an external cloud storage.
The Redmond-based company said, "Actors used the file‑synchronization tool Rclone to transfer data from internal network locations to an external cloud storage service. Filetype exclusions in the transfer parameters suggest a targeted effort to exfiltrate business‑relevant documents while minimizing transfer size and detection risk."
Once again, it is evident that humans are the weakest link, as this attack relies on human behavior and not security technical flaws. Microsoft noted that the risk began when users approved follow-on actions and despite multiple security warnings existing, these were bypassed.
Ultimately, attacks like these are no longer about breaking systems - - they are about manipulating people into opening the door themselves.
"Attackers use social engineering to convince users to grant access."