That Teams Call From IT Support Was a Hacker Who Took Over the Whole PC in 10 Minutes

The Call Looks Completely Normal

Microsoft's Detection and Response Team (DART) published details of a campaign where threat actors place voice calls through Microsoft Teams, impersonating senior IT staff. The attackers spoof their display names to match legitimate IT personnel, so the incoming call notification looks identical to a real support request. There is no malicious link. No suspicious attachment. Just a phone call from someone who sounds like they work at your company.

The social engineering is precise. In the documented incident, the attacker tried two employees first and failed. On the third attempt, they succeeded. All it takes is one person who does not question why IT is calling to ask them to open a remote support tool.

Quick Assist: The Trusted Tool That Becomes the Weapon

The key to this attack is Microsoft Quick Assist, a built in Windows remote assistance tool that is installed by default on every Windows machine. Because it is a Microsoft signed native application, it bypasses the suspicion that a third party remote access tool like TeamViewer or AnyDesk would trigger. Security teams rarely block it because it is part of Windows itself.

Once the victim opens Quick Assist and shares the access code, the attacker has full interactive control of the desktop. From there, the clock starts ticking. In the DART documented case, the attacker moved from initial access to malware deployment in approximately 10 minutes.

Fileless Malware That Hides in Memory

With remote access established, the attacker steered the victim to a malicious website that delivered a trojanized executable disguised as a system updater. The payload was a .NET Core 8.0 wrapper that contacted a command and control server to retrieve encryption keys, then executed fileless malware directly in memory without ever writing to disk.

This technique is specifically designed to evade traditional endpoint detection. Most antivirus products scan files written to disk. Malware that executes only in memory leaves no file for these tools to inspect. The attacker also used the access to redirect the victim to a spoofed corporate login page where credentials were harvested through a web form that looked identical to the real thing.

The combination is devastating: the attacker gets both persistent remote access through the malware and stolen credentials that can be used independently for lateral movement across the network.

Why This Attack Works So Well

Voice phishing (vishing) is harder to detect than email phishing because there is no link to scan, no attachment to sandbox, and no digital artifact to flag. The attack exploits three layers of trust simultaneously:

• Platform trust: The call comes through Microsoft Teams, a tool employees use every day
• Identity trust: The caller's display name matches a known IT staff member
• Tool trust: Quick Assist is a Microsoft signed native Windows application

Traditional security training teaches people to look for suspicious emails and links. It rarely covers what to do when someone calls you on Teams and politely asks you to open a Windows tool that is already on your computer. This is a blind spot that attackers are increasingly exploiting. Vishing attacks have been linked to some of the highest profile breaches in recent years, including the compromise that led to the Aura identity protection breach.

How to Protect Your Organization

• Restrict external Teams calls. Configure Microsoft Teams to block inbound communications from unmanaged accounts. Use an allowlist model that only permits contact from trusted external domains.
• Disable or restrict Quick Assist. If your organization does not use Quick Assist for legitimate support, remove or disable it through Group Policy. If you do use it, require a ticket number before any session begins.
• Establish a verification protocol. Train employees to verify any remote support request by hanging up and calling the IT help desk through an official, published phone number. Never accept inbound support calls at face value.
• Monitor for indicators of compromise. Block the known malicious domains associated with this campaign and ingest the published SHA256 hashes into your endpoint detection tools.
• Train for vishing specifically. Most security awareness programs focus on email phishing. Add voice phishing scenarios to your training program, including simulated Teams calls that test whether employees will grant remote access.

The Shift From Email to Voice

This campaign is part of a broader trend where attackers are moving away from email as the primary entry point. As email security tools have improved with better spam filtering, link scanning, and attachment sandboxing, threat actors are shifting to channels that have fewer automated defenses. Voice calls, SMS messages, and collaboration platform messages all bypass the email security stack entirely.

The lesson from DART's investigation is straightforward: if someone calls you on Teams and asks you to open any remote access tool, treat it exactly like you would a suspicious email. Verify before you trust. The 10 minutes it takes to confirm the request with your real IT team could save your organization from a full compromise.