Teams calls from fake IT support — how one call compromises an entire company
Microsoft DART reveals how attackers use Teams voice calls and Quick Assist to deploy backdoors. Here is how to protect your organization.
Microsoft DART published a detailed report last week about an attack that starts with a Teams voice call. The attacker posed as IT support, called three employees, and eventually convinced one to launch Quick Assist and share their screen.
From there, things moved fast. The attacker directed the victim to a spoofed login page, captured credentials, and downloaded a trojanized MSI package that established a backdoor through DLL sideloading — all using legitimate Windows mechanisms that do not trigger standard antivirus.
Who is behind it?
Microsoft links the activity to Storm-1811, a threat actor cluster affiliated with Black Basta ransomware operations. This is not a targeted attack against large enterprises — it is a scalable playbook that works just as well against a 20-person company.
Why this hits SMBs hard
Teams is the default communication platform for most M365 Business Premium customers. Quick Assist ships built into Windows and is enabled by default. The combination makes it trivial for an attacker to establish a foothold without sending a single phishing email.
Unlike email-based attacks, voice calls bypass Defender for Office 365, Safe Links, and all email filtering. There is no automated protection against a convincing voice on the phone.
What you should do now
1. Disable Quick Assist for standard users
Use Intune Device Configuration to block quickassist.exe. If your IT team needs remote support, use Remote Help in Intune instead — it requires authentication and provides an audit trail.
2. Restrict external calls in Teams Go to Teams Admin Center → External Access and limit which domains can call your users. Consider blocking external voice calls entirely if your business does not require it.
3. Deploy phishing-resistant MFA
If the attacker captures passwords through a fake login page, SMS-based MFA will not save you. Passkeys or FIDO2 keys in Entra ID stop credential phishing completely.
4. Run a vishing exercise Most security awareness training focuses on email. Add a Teams voice call scenario to your next training session.
How we can help
We offer a Teams Security Quick Check (1-2h) where we review Quick Assist status, external access settings, and call restrictions in your tenant. Want us to check your environment? Get in touch.