Microsoft Teams Exploited for Silent Enterprise Takeovers

A new investigative report from the Microsoft Defender Security Research Team has unmasked a sophisticated intrusion chain that leverages the very tools meant for IT collaboration to facilitate silent, widespread data exfiltration.

The campaign represents a tactical shift in social engineering, moving away from traditional phishing emails toward direct, cross-tenant communication on platforms like Microsoft Teams.

The attack begins with a high-stakes psychological play. “Threat actors are initiating cross-tenant Microsoft Teams communications while impersonating IT or helpdesk personnel to socially engineer users into granting remote desktop access,” the report states.

Once a user is convinced they are speaking with a legitimate support agent, the actor guides them through a remote assistance session using tools like Quick Assist. After establishing this initial foothold, the attackers often execute trusted, vendor-signed applications alongside their own malicious modules, allowing them to run code while appearing as authorized activity on the endpoint.

With a single workstation compromised, the attackers quickly shift their focus to the heart of the corporate network: identity-centric infrastructure.

Researchers observed the use of native administrative protocols—specifically Windows Remote Management (WinRM) over port 5985—to perform credential-backed lateral movement. This allows the threat actor to pivot toward high-value assets, such as domain controllers, without the need for sophisticated malware.

As the analysis highlights, “Targeting identity-centric infrastructure at this stage reflects a shift from initial foothold to broader enterprise control and persistence”.

To ensure they maintain a permanent seat at the table, the attackers deploy secondary management platforms. In recent intrusions, researchers identified the remote installation of Level RMM, a commercial remote management software, using the standard Windows Installer (msiexec.exe).

This move introduces an alternate control channel that remains independent of the initial intrusion components. By using standard administrative mechanisms, attackers can maintain persistent remote control even if their earlier payloads are identified and removed by security software.

The campaign culminates in a targeted effort to strip the organization of its most valuable data. Using the file-synchronization tool Rclone, the actors transfer business-relevant documents from internal network locations to external cloud storage.

Notably, the attackers use specific file-type exclusions in their transfer parameters, a calculated move intended to “minimize transfer size and detection risk” while ensuring they capture the most sensitive corporate information.

The greatest challenge for modern defenders is that this entire operation is designed to mimic routine IT workflows. “This intrusion chain relies heavily on legitimate applications and administrative protocols, allowing threat actors to blend into expected enterprise activity during multiple intrusion phases,” the Microsoft team concludes.