{ "id": "01ab3da4-533f-4d2e-a097-cbe01ffb0041", "created_at": "2026-04-06T00:09:52.72451Z", "updated_at": "2026-04-10T03:35:13.805107Z", "deleted_at": null, "sha1_hash": "83efe89d63ff5169b758b5787202fe20a31feb95", "title": "Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 259331, "plain_text": "Threat actors misusing Quick Assist in social engineering attacks\r\nleading to ransomware | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-05-15 · Archived: 2026-04-05 12:59:57 UTC\r\nJune 2024 update: At the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft\r\nTeams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send\r\nmessages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick\r\nAssist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for\r\npersistence and command and control.\r\nSince mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client\r\nmanagement tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated\r\ncybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation\r\nthrough voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and\r\nmanagement (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and\r\nultimately Black Basta ransomware.\r\nMITIGATE THIS THREAT\r\nGet recommendations ↗\r\nQuick Assist is an application that enables a user to share their Windows or macOS device with another person\r\nover a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and\r\nview its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick\r\nAssist features to perform social engineering attacks by pretending, for example, to be a trusted contact like\r\nMicrosoft technical support or an IT professional from the target user’s company to gain initial access to a target\r\ndevice.\r\nIn addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick\r\nAssist in these attacks and is working on improving the transparency and trust between helpers and sharers, and\r\nincorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft\r\nDefender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on\r\nactivity, and Microsoft Defender Antivirus detects the malware components associated with this activity.\r\nOrganizations can also reduce the risk of attacks by blocking or uninstalling Quick Assist and other remote\r\nmanagement tools if the tools are not in use in their environment. Quick Assist is installed by default on devices\r\nrunning Windows 11. Additionally, tech support scams are an industry-wide issue where scammers use scare\r\ntactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams\r\ncan significantly reduce the impact of social engineering attacks. \r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 1 of 9\n\nOne of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick\r\nAssist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring\r\ntargets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on\r\nbehalf of the caller.\r\nFor example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic\r\nfixes on a device. In other cases, threat actors initiate link listing attacks – a type of email bombing attack, where\r\nthreat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly\r\nwith subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls\r\nto the target user, claiming to offer assistance in remediating the spam issue.\r\nAt the end of May 2024, Microsoft observed Storm-1811 using Microsoft Teams to send messages to and call\r\ntarget users. Tenants created by the threat actor are used to impersonate help desk personnel with names displayed\r\nas “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support”. Microsoft has taken action to mitigate\r\nthis by suspending identified accounts and tenants associated with inauthentic behavior. Apply security best\r\npractices for Microsoft Teams to safeguard Teams users.\r\nDuring the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The\r\ntarget user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as\r\nshown in the figure below.\r\nFigure 1. Quick Assist prompt to enter security code\r\nAfter the target enters the security code, they receive a dialog box asking for permission to allow screen sharing.\r\nSelecting Allow shares the user’s screen with the actor.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 2 of 9\n\nFigure 2. Quick Assist dialog box asking permission to allow screen sharing\r\nOnce in the session, the threat actor can select Request Control, which if approved by the target, grants the actor\r\nfull control of the target’s device.\r\nFigure 3. Quick Assist dialog box asking permission to allow control\r\nFollow-on activity leading to Black Basta ransomware\r\nOnce the user allows access and control, the threat actor runs a scripted cURL command to download a series of\r\nbatch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing\r\nfake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat\r\nIntelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and\r\nNetSupport Manager, and Cobalt Strike.\r\nFigure 4. Examples of cURL commands to download batch files and ZIP files\r\nQakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to\r\nransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 3 of 9\n\nStorm-1811.\r\nScreenConnect was used to establish persistence and conduct lateral movement within the compromised\r\nenvironment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over\r\ncompromised devices. An attacker might use this tool to remotely access the device, download and install\r\nadditional malware, and launch arbitrary commands.\r\nThe mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability\r\nto blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a\r\nsecure shell (SSH) tunnel for persistence. \r\nAfter the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access\r\nand performs further hands-on-keyboard activities such as domain enumeration and lateral movement.\r\nIn cases where Storm-1811 relies on Teams messages followed by phone calls and remote access through Quick\r\nAssist, the threat actor uses BITSAdmin to download batch files and ZIP files from a malicious site, for example\r\nantispam3[.]com. Storm-1811 also provides the target user with malicious links that redirect the user to an\r\nEvilProxy phishing site to input credentials. EvilProxy is an adversary-in-the-middle (AiTM) phishing kit used to\r\ncapture passwords, hijack a user’s sign-in session, and skip the authentication process. Storm-1811 was also\r\nobserved deploying SystemBC, a post-compromise commodity remote access trojan (RAT) and proxy\r\ntool typically used to establish command-and-control communication, establish persistence in a compromised\r\nenvironment, and deploy follow-on malware, notably ransomware.\r\nIn several cases, Storm-1811 uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta\r\nis a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a\r\nsmall number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure,\r\nand malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed\r\nthe ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for\r\norganizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections,\r\nwe share recommendations for improving defenses against this threat, including best practices when using Quick\r\nAssist and mitigations for reducing the impact of Black Basta and other ransomware.\r\nRecommendations\r\nMicrosoft recommends the following best practices to protect users and organizations from attacks and threat\r\nactors that misuse Quick Assist:\r\nConsider blocking or uninstalling Quick Assist and other remote monitoring and management tools if these\r\ntools are not in use in your environment. If your organization utilizes another remote support tool such as\r\nRemote Help, block or remove Quick Assist as a best practice. Remote Help is part of the Microsoft Intune\r\nSuite and provides authentication and security controls for helpdesk connections.\r\nEducate users about protecting themselves from tech support scams. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.\r\nOnly allow a helper to connect to your device using Quick Assist if you initiated the interaction by\r\ncontacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 4 of 9\n\nhave an urgent need to access your device.\r\nIf you suspect that the person connecting to your device is conducting malicious activity, disconnect from\r\nthe session immediately and report to your local authorities and/or any relevant IT members within your\r\norganization.\r\nUsers who have been affected by a tech support scam can also use the Microsoft technical support scam\r\nform to report it.\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat:\r\nEducate users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other\r\nsuspicious activity.\r\nEducate users about preventing malware infections, such as ignoring or deleting unsolicited and\r\nunexpected emails or attachments sent through instant messaging applications or social networks as well as\r\nsuspicious phone calls.\r\nInvest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft\r\nDefender for Office 365 brings together incident and alert management across email, devices, and\r\nidentities, centralizing investigations for email-based threats.\r\nEducate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external\r\nentities, be cautious about what they share, and never share their account information or authorize sign-in\r\nrequests over chat.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nApply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a huge majority of new and unknown variants.\r\nEnable network protection to prevent applications or users from accessing malicious domains and other\r\nmalicious content on the internet.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nEnable investigation and remediation in full automated mode to allow Defender for Endpoint to take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nRefer to Microsoft’s human-operated ransomware overview for general hardening recommendations\r\nagainst ransomware attacks.\r\nMicrosoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack\r\ntechniques:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock execution of potentially obfuscated scripts\r\nBlock process creations originating from PSExec and WMI commands\r\nUse advanced protection against ransomware\r\nDetection details\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 5 of 9\n\nMicrosoft Defender Antivirus \r\nMicrosoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:\r\nTrojanDownloader:O97M/Qakbot\r\nTrojan:Win32/QBot\r\nTrojan:Win32/Qakbot\r\nTrojanSpy:Win32/Qakbot\r\nBehavior:Win32/Qakbot\r\nBlack Basta threat components are detected as the following:\r\nBehavior:Win32/Basta\r\nRansom:Win32/Basta\r\nTrojan:Win32/Basta\r\nMicrosoft Defender Antivirus detects Beacon running on a victim process as the following:\r\nBehavior:Win32/CobaltStrike\r\nBackdoor:Win64/CobaltStrike\r\nHackTool:Win64/CobaltStrike\r\nAdditional Cobalt Strike components are detected as the following:\r\nTrojanDropper:PowerShell/Cobacis\r\nTrojan:Win64/TurtleLoader.CS\r\nExploit:Win32/ShellCode.BN\r\nSystemBC components are detected as:\r\nBehavior:Win32/SystemBC\r\nTrojan: Win32/SystemBC\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following title in the security center can indicate threat activity on your network:\r\nSuspicious activity using Quick Assist\r\nThe following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be\r\ntriggered by unrelated threat activity.\r\nSuspicious curl behavior\r\nSuspicious bitsadmin activity\r\nSuspicious file creation by BITSAdmin tool\r\nA file or network connection related to a ransomware-linked emerging threat activity group detected —\r\nThis alert captures Storm-1811 activity\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 6 of 9\n\nRansomware-linked emerging threat activity group Storm-0303 detected — This alert captures some\r\nQakbot distributor activity\r\nPossible Qakbot activity\r\nPossible NetSupport Manager activity\r\nPossibly malicious use of proxy or tunneling tool\r\nSuspicious usage of remote management software\r\nOngoing hands-on-keyboard attacker activity detected (Cobalt Strike)\r\nHuman-operated attack using Cobalt Strike\r\nHuman-operated attack implant tool detected\r\nRansomware behavior detected in the file system\r\nIndicators of compromise\r\nDomain names:\r\nupd7a[.]com\r\nupd7[.]com\r\nupd9[.]com\r\nupd5[.]pro\r\nantispam3[.]com\r\nantispam2[.]com\r\nSHA-256:\r\n71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8\r\n0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0\r\n1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30\r\n93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7\r\n1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb\r\nScreenConnect relay:\r\ninstance-olqdnn-relay.screenconnect[.]com\r\nNetSupport C2:\r\ngreekpool[.]com\r\nCobalt Strike Beacon C2:\r\nzziveastnews[.]com\r\nrealsepnews[.]com\r\nAdvanced hunting \r\nMicrosoft Defender XDR\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 7 of 9\n\nTo locate possible malicious activity, run the following query in the Microsoft Defender portal:\r\nThis query looks for possible email bombing activity:\r\nEmailEvents\r\n| where EmailDirection == \"Inbound\"\r\n| make-series Emailcount = count()\r\non Timestamp step 1h by RecipientObjectId\r\n| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)\r\n| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp\r\n| where Anomalies != 0\r\n| where AnomalyScore \u003e= 10\r\nThis query looks for possible Teams phishing activity.\r\nlet suspiciousUpns = DeviceProcessEvents\r\n| where DeviceId == \"alertedMachine\"\r\n| where isnotempty(InitiatingProcessAccountUpn)\r\n| project InitiatingProcessAccountUpn;\r\nCloudAppEvents\r\n| where Application == \"Microsoft Teams\"\r\n| where ActionType == \"ChatCreated\"\r\n| where isempty(AccountObjectId)\r\n| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true\r\n| where RawEventData.CommunicationType == \"OneonOne\"\r\n| where RawEventData.ParticipantInfo.HasGuestUsers == false\r\n| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false\r\n| where RawEventData.Members[0].DisplayName in (\"Microsoft Security\", \"Help Desk\", \"Help Desk Team\",\r\n\"Help Desk IT\", \"Microsoft Security\", \"office\")\r\n| where AccountId has \"@\"\r\n| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 8 of 9\n\n| where TargetUPN in (suspiciousUpns)\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMicrosoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel\r\nsolutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender\r\ndetections. These hunting queries include the following:\r\nQakbot:\r\nQakbot hunting queries\r\nCobalt Strike:\r\nCobalt Strike DNS Beaconing\r\nPotential ransomware activity related to Cobalt Strike\r\nSuspicious named pipes\r\nCobalt Strike Invocation using WMI\r\nReferences\r\nDefense and Mitigations from E-mail Bombing. U.S. Department of Health and Human Services, Health\r\nSector Cybersecurity Coordination Center\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-t\r\no-ransomware\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware" ], "report_names": [ "threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware" ], "threat_actors": [ { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3", "created_at": "2025-04-23T02:00:55.20526Z", "updated_at": "2026-04-10T02:00:05.307504Z", "deleted_at": null, "main_name": "Storm-1811", "aliases": [ "Storm-1811" ], "source_name": "MITRE:Storm-1811", "tools": [ "Black Basta", "Cobalt Strike", "Quick Assist", "BITSAdmin", "PsExec", "Impacket", "QakBot" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434192, "ts_updated_at": 1775792113, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83efe89d63ff5169b758b5787202fe20a31feb95.pdf", "text": "https://archive.orkl.eu/83efe89d63ff5169b758b5787202fe20a31feb95.txt", "img": "https://archive.orkl.eu/83efe89d63ff5169b758b5787202fe20a31feb95.jpg" } }