What if an employee got a Teams message from “IT Support” asking for remote access to fix an urgent issue? Most would comply without a second thought. That’s exactly what attackers are counting on. 

A confirmed attack campaign is actively targeting businesses through Microsoft Teams   impersonating IT helpdesk staff to steal credentials, deploy ransomware, and exfiltrate data, all without triggering a single traditional security alert. 

How the Attack Works 

It follows a simple but devastatingly effective pattern: 

1. Fake IT contact   Attackers create an external Microsoft 365 tenant named “IT Support” and message your employee directly in Teams 

2. Inbox flood   They spam the employee’s email with thousands of messages, creating panic and making the “helpdesk call” feel like a relief 

3. Remote access   They ask the employee to open Quick Assist (a legitimate Windows tool) and approve a remote session   no malware, no suspicious links 

4. Credential theft & lateral movement   Once inside, they harvest login credentials, move across the network, and exfiltrate data using everyday tools like PowerShell and cloud sync utilities 

Over 15 confirmed incidents have been linked to ransomware-connected threat groups using this exact method. 

Why It’s So Hard to Stop 

Every tool used in this attack   Teams, Quick Assist, Windows Remote Management   is legitimate. There’s nothing for basic antivirus to flag. The only real defence is an architecture that assumes no one gets automatic trust, regardless of how they appear. 

Not sure if your business is exposed? 
Book a free security assessment with Periscope Technologies → 

How Periscope Technologies Protects You 

We build Zero Trust security environments that stop attacks like this at every layer: 

• EDR/EPDR   Continuous endpoint monitoring flags unusual behaviour even when attackers use legitimate tools 

• Advanced Threat Protection   Behaviour-based detection catches threats signatures alone would miss 

• Firewall & DNS Controls   Blocks outbound connections to attacker infrastructure before data leaves 

• Zero Trust Network Access   Limits lateral movement so a compromised endpoint can’t become a full breach 

Three Actions to Take Today 

• Restrict external Teams messaging in your admin centre   unknown external contacts shouldn’t be able to reach your employees uninvited 

• Disable Quick Assist via Group Policy if your IT team doesn’t actively use it 

• Brief your team in 10 minutes  Real IT support never cold-contacts you on Teams asking for remote access without a prior ticket. If it happens, call IT directly 

Don’t Wait for an Incident to Find Out 

Book a free, no-obligation security assessment with Periscope Technologies. We’ll give you a picture of where your business stands and what needs fixing. 

→ Request Your Free Assessment at periscope-tech.com 

• LinkedIn