By Bill Toulas
Publication Date: 2026-04-20 15:11:00
Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks.
The hackers impersonate IT or helpdesk staff to contact employees through cross-tenant chats and trick them into providing remote access for data theft purposes.
Microsoft has observed multiple intrusions with a similar attack chain that used commercial remote management software, such as Quick Assist, and the Rclone utility to transfer files to an external cloud storage service.
The tech giant notes that follow-on malicious activity is hard to discern from normal operations because of the heavy use of legitimate applications and native administrative protocolos.
“Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access,” Microsoft says.
“From this initial…
