TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Security Blog

Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

Microsoft Defender Security Research Team and Microsoft Defender Experts · 2026-04-18 · Read original ↗

ATT&CK techniques detected

22 predictions
T1021.006Windows Remote Management
99%
"actor used native windows remote execution to pivot from the initially compromised endpoint toward high ‑ value infrastructure assets, including identity and domain management systems such as domain controllers. use of winrm from a non ‑ administrative application suggests creden…"
T1021.006Windows Remote Management
95%
"were directed toward dynamically hosted cloud ‑ backed endpoints and unknown external domains. this behavior indicates remote attacker ‑ controlled infrastructure rather than legitimate update mechanisms. establishing outbound encrypted communications in this manner enables compr…"
T1059.003Windows Command Shell
92%
"##otempty ( victimaccountobjectid ) | join kind = inner _ rmm on victimaccountobjectid | where isnotempty ( devicename ) | where qtime between ( ( ttime ).. ( ttime + ( _ timeframe ) ) ) | project devicename, senderemailaddress, senderdisplayname, victimrecipientdisplayname, vict…"
T1021.006Windows Remote Management
86%
"on actions — such as launching a remote assistance session — that result in interactive system access. in observed intrusions, risk is introduced not by external messaging alone, but when a user approves follow ‑ on actions — such as launching a remote assistance session — that r…"
T1059.001PowerShell
76%
"##name ; _ armordevice | join kind = inner _ hostrun on devicename | where run between ( first.. ( first + ( _ timeframe ) ) ) | summarize first = min ( first ), run = min ( run ), files = make _ set ( filename, 10 ) by devicename, host | order by run desc d. powershell → high ‑ …"
T1219Remote Access Tools
62%
"immediately after establishing control through quick assist, the attacker typically spends the first 30 – 120 seconds assessing their level of access and understanding the compromised environment. this is often reflected by a brief surge of cmd. exe activity, used to verify user …"
T1219Remote Access Tools
56%
"cross ‑ tenant helpdesk impersonation to data exfiltration : a human - operated intrusion playbook threat actors are initiating cross - tenant microsoft teams communications while impersonating it or helpdesk personnel to socially engineer users into granting remote desktop acces…"
T1074.001Local Data Staging
52%
"reconproc = filename ; / / suspect staging writes ( zip / exe / dll ) let _ staging = devicefileevents | where timestamp > ago ( 14d ) | where actiontype in ( " filecreated ", " filerenamed " ) | where filename matches regex @ " (? i ). * \ \. ( zip | exe | dll ) $ " | project de…"
T1566.004Spearphishing Voice
51%
"access. from this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration — often blending into routine it support activity throughout the intrusion lifecycle. mic…"
T1566.002Spearphishing Link
49%
"isnull ( atime ) or atime between ( ttime.. ttime + _ timeframe ) | extend matchtype = " chatthreadid " ; / / / / add branch 4 for host events / / / / merge all match paths and collapse multiple alert hits per teams event into one row union _ matches _ oid, _ matches _ upn, _ mat…"
T1219Remote Access Tools
48%
", they will navigate to it while on the endpoint during a remote management session. therefore, the best security is user education on understanding the importance of not ignoring external flags for new helpdesk contacts. see “ user education ” in the “ defend, harden, and educat…"
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
47%
"were disrupted or removed. stage 9 : data exfiltration actors used the file ‑ synchronization tool rclone to transfer data from internal network locations to an external cloud storage service. file ‑ type exclusions in the transfer parameters suggest a targeted effort to exfiltra…"
T1566.002Spearphishing Link
47%
"see a “ chatcreated ” event to indicate a first contact situation, followed by suspicious chats or vishing, remote management, and other events that commonly produce alerts to include mailbombing or url click alerts. all of these can be correlated by account and chat thread infor…"
T1566.004Spearphishing Voice
46%
"cross ‑ tenant helpdesk impersonation to data exfiltration : a human - operated intrusion playbook threat actors are initiating cross - tenant microsoft teams communications while impersonating it or helpdesk personnel to socially engineer users into granting remote desktop acces…"
T1566.004Spearphishing Voice
45%
"##ating internal support personnel as a means to social engineer the user. this activity does not stem from a weakness in microsoft teams or its built ‑ in security protections. instead, attackers abuse legitimate collaboration features by persuading users to override multiple, c…"
T1074.002Remote Data Staging
41%
"were disrupted or removed. stage 9 : data exfiltration actors used the file ‑ synchronization tool rclone to transfer data from internal network locations to an external cloud storage service. file ‑ type exclusions in the transfer parameters suggest a targeted effort to exfiltra…"
T1071.001Web Protocols
35%
". in this stage, a sideloaded module acting as an intermediary loader decrypts staged registry data in memory to reconstruct execution and c2 configuration without writing files to disk. this behavior aligns with intrusion frameworks such as havoc, which externalize encrypted con…"
T1219Remote Access Tools
33%
"( 2d ) | where filename = ~ " rclone. exe " or processversioninfooriginalfilename = ~ " rclone. exe " | where processcommandline has _ all ( " copy ", " - - config rclone _ uploader. conf ", " - - transfers 16 ", " - - checkers 16 ", " - - buffer - size 64m ", " - - max - age = 3…"
T1055.001Dynamic-link Library Injection
33%
"##m ; let _ armordevice = devicefileevents | where timestamp > ago ( 14d ) | where folderpath has _ any ( " c : \ \ programdata \ \ adobe \ \ arm \ \ ", " c : \ \ programdata \ \ microsoft \ \ devicesync \ \ ", " d : \ \ programdata \ \ adobe \ \ arm \ \ ", " d : \ \ programdata …"
T1036.005Match Legitimate Resource Name or Location
33%
"##m ; let _ armordevice = devicefileevents | where timestamp > ago ( 14d ) | where folderpath has _ any ( " c : \ \ programdata \ \ adobe \ \ arm \ \ ", " c : \ \ programdata \ \ microsoft \ \ devicesync \ \ ", " d : \ \ programdata \ \ adobe \ \ arm \ \ ", " d : \ \ programdata …"
T1537Transfer Data to Cloud Account
32%
"were disrupted or removed. stage 9 : data exfiltration actors used the file ‑ synchronization tool rclone to transfer data from internal network locations to an external cloud storage service. file ‑ type exclusions in the transfer parameters suggest a targeted effort to exfiltra…"
T1070.003Clear Command History
30%
"_ net2 on devicename, proc | where intime between ( outtime.. ( outtime + ( _ timeframe ) ) ) | project devicename, proc, outtime, remoteurl, intime, remoteport | order by intime desc g. powershell history deletion devicefileevents | where timestamp > ago ( 14d ) | where filename…"

Summary

Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access. Once inside, attackers can abuse legitimate tools and standard admin protocols to move laterally and exfiltrate data while appearing as routine IT support—activity Microsoft Defender helps detect across Teams, endpoint, and identity telemetry.

The post Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook appeared first on Microsoft Security Blog.