Attackers Pose as IT Support on Microsoft Teams to Launch Human‑Operated Intrusions

Microsoft has warned of a growing attack technique that relies on a “human‑operated” intrusion playbook, where threat actors pose as IT helpdesk staff over Microsoft Teams. Attackers exploit user trust and legitimate support tools to gain authorized access to corporate systems and quietly exfiltrate sensitive data.

According to the report, attackers begin by contacting employees through external Microsoft Teams chats, which pretend to be internal IT or helpdesk staff. Microsoft Teams is widely used for legitimate support interactions, and this approach appears normal and avoids traditional email phishing defenses.

Legitimate remote support tools help attackers avoid detection

Attackers rely on persuasion to convince users to start remote support sessions using legitimate tools such as Quick Assist. This makes the access explicitly user‑authorized, which significantly reduces security alerts. Once access is granted, threat actors avoid obvious malware. They run trusted, vendor‑signed applications and pair them with malicious components, which allows harmful activity to blend into routine IT behavior.

Attackers validate access and then move through the environment using built‑in administrative tools such as Windows Remote Management (WinRM). This enables them to reach high‑value systems like domain controllers without triggering strong detections. In the final stage, attackers gather business‑critical data and use utilities such as Rclone to transfer information to external cloud storage. The activity is selective and optimized to minimize noise and detection.

“Actors used the file‑synchronization tool Rclone to transfer data from internal network locations to an external cloud storage service. Filetype exclusions in the transfer parameters suggest a targeted effort to exfiltrate business‑relevant documents while minimizing transfer size and detection risk,” Microsoft explained.

How can organizations defend against human-operated intrusions?

Organizations should focus first on reducing the risk of user‑approved misuse of trusted tools, since this attack chain depends on social engineering rather than software exploits. Microsoft recommends tightening controls around external Microsoft Teams interactions, such as limiting cross‑tenant chat, clearly labeling external users, and training employees to independently verify IT support requests before granting remote access. Moreover, IT admins must restrict or monitor the use of remote assistance tools (like Quick Assist) and require additional approval or authentication for support sessions to break the intrusion early, before attackers gain interactive control of a system.

Additionally, organizations should strengthen post‑access visibility and detection by closely monitoring the use of legitimate administrative tools and remote management software. Attackers rely on native protocols and trusted applications to move laterally and exfiltrate data, so defenders should watch for abnormal behavior such as unusual WinRM activity, unexpected deployment of RMM tools, or bulk data transfers to external cloud services.