Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks. The hackers impersonate IT or helpdesk staff to contact employees through cross-tenant chats and trick them into providing remote access for data theft purposes. Microsoft has observed multiple intrusions with a similar attack chain that used commercial remote management software, such as Quick Assist, and the Rclone utility to transfer files to an external cloud storage service. The tech giant notes that follow-on malicious activity is hard to discern from normal operations because of the heavy use of legitimate applications and native administrative protocolos. “Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access,” Microsoft says. “From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration—often blending into routine IT support activity throughout the intrusion lifecycle,” the company added. In a recent report, Microsoft describes a nine-stage attack chain that begins with the threat actor contacting the target via an external Teams chat, posing as a member of the company's IT staff and claiming they need to address an account issue or perform a security update. The goal is to convince the target to start a remote support session, usually via Quick Assist, which gives the attacker direct control of the employee's machine.