{"id":60502,"date":"2026-04-18T12:55:45","date_gmt":"2026-04-18T12:55:45","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146657"},"modified":"2026-04-18T12:55:45","modified_gmt":"2026-04-18T12:55:45","slug":"cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/","title":{"rendered":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-e9f70be9-39a3-4792-835a-50873c36dd87\" data-bi-aN=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-e9f70be9-39a3-4792-835a-50873c36dd87\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <\/p>\n<div id=\"accordion-collapse-e9f70be9-39a3-4792-835a-50873c36dd87\" class=\"table-of-contents-block__collapse-wrapper collapse show\" data-parent=\"#accordion-e9f70be9-39a3-4792-835a-50873c36dd87\">\n<div class=\"table-of-contents-block__content\">\n<ol class=\"table-of-contents-block__list\">\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#risk-to-enterprise-environments\">Risk to enterprise environments<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#attack-chain-overview\">Attack chain overview<\/a>\n<ol class=\"table-of-contents-block__list\">\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-1-initial-contact-via-teams-t1566-003-spearphishing-via-service\">Stage 1: Initial contact via Teams (T1566.003 Spearphishing via Service)<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-2-remote-assistance-foothold\">Stage 2: Remote assistance foothold<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-3-interactive-reconnaissance-and-access-validation\">Stage 3: Interactive reconnaissance and access validation<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-4-payload-placement-and-trusted-application-invocation\">Stage 4: Payload placement and trusted application invocation<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-5-execution-context-validation-and-registry-backed-loader-state\">Stage 5: Execution context validation and registry backed loader state<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-6-command-and-control\">Stage 6: Command and control<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-7-internal-discovery-and-lateral-movement-toward-high-value-assets\">Stage 7: Internal discovery and lateral movement toward high value assets<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-8-remote-deployment-of-auxiliary-access-tooling-level-rmm\">Stage 8: Remote deployment of auxiliary access tooling (Level RMM)<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#stage-9-data-exfiltration\">Stage 9: Data exfiltration<\/a><\/li>\n<\/ol>\n<\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#mitigation-and-protection-guidance\">Mitigation and protection guidance<\/a>\n<ol class=\"table-of-contents-block__list\">\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#microsoft-protection-outcomes\">Microsoft protection outcomes<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#hunting-queries\">Hunting queries<\/a><\/li>\n<\/ol>\n<\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#references\">References<\/a><\/li>\n<li class=\"table-of-contents-block__list-item\"><a class=\"table-of-contents-block__list-item-link\" href=\"#learn-more\">Learn More<\/a><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<p> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">Threat actors are initiating cross-tenant Microsoft Teams communications\u00a0while impersonating IT or helpdesk personnel to socially engineer users into granting remote desktop access. After access is established through Quick Assist or similar remote support tools, attackers often execute trusted vendor-signed applications alongside attacker-supplied modules to enable malicious code execution. <\/p>\n<p class=\"wp-block-paragraph\">This access pathway might be used to perform credential-backed lateral movement using native administrative protocols such as Windows Remote Management (WinRM), allowing threat actors to pivot toward high-value assets including domain controllers. In observed intrusions, follow-on commercial remote management software and data transfer utilities such as Rclone were used to expand access across the enterprise environment and stage business-relevant information for transfer to external cloud storage. This intrusion chain relies heavily on legitimate applications and administrative protocols, allowing threat actors to blend into expected enterprise activity during multiple intrusion phases.<\/p>\n<p class=\"wp-block-paragraph\">Threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk personnel and convince users to grant remote assistance access. From this initial foothold, attackers can leverage trusted tools and native administrative protocols to move laterally across the enterprise and stage sensitive data for exfiltration\u2014often blending into routine IT support activity throughout the intrusion lifecycle. Microsoft Defender provides correlated visibility across identity, endpoint, and collaboration telemetry to help detect and disrupt this user\u2011initiated access pathway before it escalates into broader compromise.<\/p>\n<h2 class=\"wp-block-heading\" id=\"risk-to-enterprise-environments\">Risk to enterprise environments<\/h2>\n<p class=\"wp-block-paragraph\">By abusing enterprise collaboration workflows instead of traditional email\u2011based phishing channels, attackers may initiate contact through applications such as Microsoft Teams in a way that appears consistent with routine IT support interactions. While Teams includes built\u2011in security features such as external\u2011sender labeling and Accept\/Block prompts, this attack chain relies on convincing users to bypass those warnings and voluntarily grant remote access through legitimate support tools. <\/p>\n<p class=\"wp-block-paragraph\">In observed intrusions, risk is introduced not by external messaging alone, but when a user approves follow\u2011on actions \u2014 such as launching a remote assistance session \u2014 that result in interactive system access.<\/p>\n<p class=\"wp-block-paragraph\">An approved external Teams interaction might enable threat actors to:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Establish credential-backed interactive system access\u00a0<\/li>\n<li class=\"wp-block-list-item\">Deploy trusted applications to execute attacker-controlled code\u00a0<\/li>\n<li class=\"wp-block-list-item\">Pivot toward identity and domain infrastructure using WinRM\u00a0<\/li>\n<li class=\"wp-block-list-item\">Deploy commercially available remote management tooling\u00a0<\/li>\n<li class=\"wp-block-list-item\">Stage sensitive business-relevant data for transfer to external cloud infrastructure\u00a0<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">In the campaign, lateral movement and follow-on tooling installation occurred shortly after initial access, increasing the risk of enterprise-wide persistence and targeted data exfiltration. As each environment is different and with potential handoff to different threat actors, stages might differ if not outright bypassed.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp\" alt=\"\" class=\"wp-image-146658 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp\"><figcaption class=\"wp-element-caption\">Figure 1: Attack chain.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"attack-chain-overview\">Attack chain overview<a id=\"_msocom_1\"><\/a><\/h2>\n<h3 class=\"wp-block-heading\" id=\"stage-1-initial-contact-via-teams-t1566-003-spearphishing-via-service\">Stage 1: Initial contact via Teams (T1566.003 Spearphishing via Service)<\/h3>\n<p class=\"wp-block-paragraph\">The intrusion begins with abuse of external collaboration features in Microsoft Teams, where an attacker operating from a separate tenant initiates contact while impersonating internal support personnel as a means to social engineer the user. Because interaction occurs within an enterprise collaboration platform rather than through traditional email\u2011based phishing vectors, it might bypass initial user skepticism associated with unsolicited external communication. Security features protecting Teams users are detailed <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/teams-security-guide\">here<\/a>, for reference. It\u2019s important to note that this attack relies on users willfully ignoring or overlooking security notices and other protection features.\u00a0 The lure varies and might include \u201cMicrosoft Security Update\u201d, \u201cSpam Filter Update\u201d, \u201cAccount Verification\u201d but the objective is constant: convince the user to ignore warnings and external contact flags, launch a remote management session, and accept elevation. Voice phishing (vishing) is sometimes layered to increase trust or compliance if they don\u2019t replace the messaging altogether.<\/p>\n<p class=\"wp-block-paragraph\">Timing matters. We regularly see a \u201cChatCreated\u201d event to indicate a first contact situation, followed by suspicious chats or vishing, remote management, and other events t that commonly produce alerts to include mailbombing or URL click alerts.\u00a0 \u00a0All of these can be correlated by account and chat thread information in your Defender hunting environment.<\/p>\n<p class=\"wp-block-paragraph\">Teams security warnings:<\/p>\n<p class=\"wp-block-paragraph\">External Accept\/Block screens provide notice to users about First Contact events, which prompt the user to inspect the sender\u2019s identity before accepting:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-39.webp\" alt=\"\" class=\"wp-image-146659 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-39.webp\"><figcaption class=\"wp-element-caption\">Figure 2: External Accept\/Block screens.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Higher confidence warnings alert the user of spam or phishing attempts on first contact:<a id=\"_msocom_1\"><\/a><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-40.webp\" alt=\"\" class=\"wp-image-146660 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-40.webp\"><figcaption class=\"wp-element-caption\">Figure 3: spam or phishing alert.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">External warnings notify users that they are communicating with a tenant\/organization other than their own and should be treated with scrutiny:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-41.webp\" alt=\"\" class=\"wp-image-146661 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-41.webp\"><figcaption class=\"wp-element-caption\">Figure 4: External warnings.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Message warnings alert the user on the risk in clicking the URL:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-43.webp\" alt=\"\" class=\"wp-image-146663 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-43.webp\"><figcaption class=\"wp-element-caption\">Figure 5: URL click warning.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Safe Links for time-of-click protection warns users when URLs from Teams chat messages are malicious:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-44.webp\" alt=\"\" class=\"wp-image-146664 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-44.webp\"><figcaption class=\"wp-element-caption\">Figure 6: time-of-click protection warning.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Zero-hour Auto Purge (ZAP) can remove messages that were flagged as malicious after they have been sent:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-45.webp\" alt=\"\" class=\"wp-image-146665 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-45.webp\"><figcaption class=\"wp-element-caption\">Figure 7: Removed malicious from ZAP.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">It\u2019s important to note that the attacker often does not send the URL over a Teams message. Instead, they will navigate to it while on the endpoint during a remote management session. Therefore, the best security is user education on understanding the importance of not ignoring external flags for new helpdesk contacts. See \u201cUser education\u201d in the \u201cDefend, harden, and educate (Controls to deploy\u00a0now)\u201d section for further advice.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-2-remote-assistance-foothold\">Stage 2: Remote assistance foothold<a id=\"_msocom_1\"><\/a><\/h3>\n<p class=\"wp-block-paragraph\">With user consent obtained through social engineering, the attacker gains interactive control of the device using remote support tools such as Quick Assist. This access typically results in the launch of QuickAssist.exe, followed by the display of standard Windows elevation prompts through Consent.exe as the attacker is guided through approval steps.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-46.webp\" alt=\"\" class=\"wp-image-146666 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-46.webp\"><figcaption class=\"wp-element-caption\">Figure 8: Quick Assist Key Logs.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">From the user\u2019s perspective, the attacker \u00a0convinces them to open Quick Assist, enter a short key, the follow all prompts and approvals to grant access.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-47.webp\" alt=\"\" class=\"wp-image-146667 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-47.webp\"><figcaption class=\"wp-element-caption\">Figure 9 &#8211; Quick Assist Launch.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">This step is often completed in under a minute. The urgency and interactivity are the signal: a remote\u2011assist process tree followed immediately by \u201ccmd.exe\u201d or PowerShell on the same desktop.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-3-interactive-reconnaissance-and-access-validation\">Stage 3: Interactive reconnaissance and access validation<\/h3>\n<p class=\"wp-block-paragraph\">Immediately after establishing control through Quick Assist, the attacker typically spends the first 30\u2013120 seconds assessing their level of access and understanding the compromised environment. This is often reflected by a brief surge of <em>cmd.exe<\/em> activity, used to verify user context and privilege levels, gather basic system information such as host identity and operating system details, and confirm domain affiliation. In parallel, the attacker might query registry values to determine OS build and edition, while also performing quick network reconnaissance to evaluate connectivity, reachability, and potential opportunities for lateral movement.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-48.webp\" alt=\"\" class=\"wp-image-146668 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-48.webp\"><figcaption class=\"wp-element-caption\">Figure 10: Enumeration.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">On systems with limited privileges\u2014such as kiosks, VDI, or non-corp-joined devices\u2014actors might pause without deploying payloads, leaving only brief reconnaissance activity. They often return later when access improves or pivot to other targets within the same tenant.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-4-payload-placement-and-trusted-application-invocation\">Stage 4: Payload placement and trusted application invocation<\/h3>\n<p class=\"wp-block-paragraph\">Once remote access is established, the intrusion transitions from user\u2011assisted interaction to preparing the environment for persistent execution. At this point, attackers introduce a small staging bundle onto disk using either archive\u2011based deployment or short\u2011lived scripting activity.<\/p>\n<p class=\"wp-block-paragraph\">After access is established, attackers stage payloads in locations such as ProgramData and execute them using DLL side\u2011loading through trusted signed applications. This includes: <\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">AcroServicesUpdater2_x64.exe loading a staged msi.dll<\/li>\n<li class=\"wp-block-list-item\">ADNotificationManager.exe loading vcruntime140_1.dll<\/li>\n<li class=\"wp-block-list-item\">DlpUserAgent.exe loading mpclient.dll<\/li>\n<li class=\"wp-block-list-item\">werfault.exe loading Faultrep.dll<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Allowing attacker\u2011supplied modules to run under a trusted execution context from non\u2011standard paths.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-49.webp\" alt=\"\" class=\"wp-image-146669 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-49.webp\"><figcaption class=\"wp-element-caption\">Figure 11: Sample Payload.<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"stage-5-execution-context-validation-and-registry-backed-loader-state\">Stage 5: Execution context validation and registry backed loader state<a id=\"_msocom_1\"><\/a><\/h3>\n<p class=\"wp-block-paragraph\">Following payload delivery, the attacker performs runtime checks to validate host conditions before execution. A large encoded value is then written to a user\u2011context registry location, serving as a staging container for encrypted configuration data to be retrieved later at runtime.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-50.webp\" alt=\"\" class=\"wp-image-146670 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-50.webp\"><figcaption class=\"wp-element-caption\">Figure 12: Representative commands \/ actions (sanitized).<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">In this stage, a sideloaded module acting as an intermediary loader decrypts staged registry data in memory to reconstruct execution and C2 configuration without writing files to disk. This behavior aligns with intrusion frameworks such as Havoc, which externalize encrypted configuration to registry storage, allowing trusted sideloaded components to dynamically recover execution context and maintain operational continuity across restarts or remediation events.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender for Endpoint may detect this activity as:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Unexpected DLL load by trusted application<\/li>\n<li class=\"wp-block-list-item\">Service\u2011path execution outside vendor installation directory<\/li>\n<li class=\"wp-block-list-item\">Execution from user\u2011writable directories such as ProgramData<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Attack surface reduction rules and Windows Defender Application Control policies can be used to restrict execution pathways commonly leveraged for sideloaded module activation.<a id=\"_msocom_3\"><\/a><\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-6-command-and-control\">Stage 6: Command and control<\/h3>\n<p class=\"wp-block-paragraph\">Following successful execution of the sideloaded component, the updater\u2011themed process <em>AcroServicesUpdater2_x64.exe<\/em> began initiating outbound HTTPS connections over TCP port\u202f443 to externally hosted infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">Unlike expected application update workflows which are typically restricted to known vendor services these connections were directed toward dynamically hosted cloud\u2011backed endpoints and unknown external domains. This behavior indicates remote attacker\u2011controlled infrastructure rather than legitimate update mechanisms.<\/p>\n<p class=\"wp-block-paragraph\">Establishing outbound encrypted communications in this manner enables compromised processes to operate as beaconing implants, allowing adversaries to remotely retrieve instructions and maintain control within the affected environment while blending command traffic into routine HTTPS activity. The use of cloud\u2011hosted hosting layers further reduces infrastructure visibility and improves the attacker\u2019s ability to modify or rotate communication endpoints without altering the deployed payload.<\/p>\n<p class=\"wp-block-paragraph\">This activity marks the transition from local execution to externally directed command\u2011and\u2011control \u2014 enabling subsequent stages of discovery and movement inside the enterprise network.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-7-internal-discovery-and-lateral-movement-toward-high-value-assets\">Stage 7: Internal discovery and lateral movement toward high value assets<\/h3>\n<p class=\"wp-block-paragraph\">Shortly after external communications were established, the compromised process began initiating internal remote management connections over WinRM (TCP&nbsp;5985) toward additional domain\u2011joined systems within the enterprise environment.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender may surface these activities as multi\u2011device incidents reflecting credential\u2011backed lateral movement initiated from a user\u2011context remote session.<\/p>\n<p class=\"wp-block-paragraph\">Analysis of WinRM activity indicates that the threat actor used native Windows remote execution to pivot from the initially compromised endpoint toward high\u2011value infrastructure assets, including identity and domain management systems such as domain controllers. Use of WinRM from a non\u2011administrative application suggests credential\u2011backed lateral movement directed by an external operator, enabling remote command execution, interaction with domain infrastructure, and deployment of additional tooling onto targeted hosts.<\/p>\n<p class=\"wp-block-paragraph\">Targeting identity\u2011centric infrastructure at this stage reflects a shift from initial foothold to broader enterprise control and persistence. Notably, this internal pivot preceded the remote deployment of additional access tooling in later stages, indicating that attacker\u2011controlled WinRM sessions were subsequently leveraged to extend sustained access across<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td>Protocol: &#8220;HTTP&#8221; <br \/>Entity Type: &#8220;IP&#8221; <br \/>Ip: &lt;IP Address> <br \/>Target: &#8220;http:\/\/host.domain.local:5985\/wsman&#8221; <br \/>RequestUserAgent: &#8220;Microsoft WinRM Client&#8221;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<h3 class=\"wp-block-heading\" id=\"stage-8-remote-deployment-of-auxiliary-access-tooling-level-rmm\">Stage 8: Remote deployment of auxiliary access tooling (Level RMM)<a id=\"_msocom_1\"><\/a><\/h3>\n<p class=\"wp-block-paragraph\">Subsequent activity revealed the remote installation of an additional management platform across compromised hosts using Windows Installer (msiexec.exe). This introduced an alternate control channel independent of the original intrusion components, reducing reliance on the initial implant and enabling sustained access through standard administrative mechanisms. As a result, attackers could maintain persistent remote control even if earlier payloads were disrupted or removed.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-51.webp\" alt=\"\" class=\"wp-image-146672 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-51.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"stage-9-data-exfiltration\">Stage 9: Data exfiltration<\/h3>\n<p class=\"wp-block-paragraph\">Actors used the file\u2011synchronization tool Rclone to transfer data from internal network locations to an external cloud storage service. File\u2011type exclusions in the transfer parameters suggest a targeted effort to exfiltrate business\u2011relevant documents while minimizing transfer size and detection risk.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-52.webp\" alt=\"\" class=\"wp-image-146673 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-52.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">Microsoft Defender might detect this activity as possible data exfiltration involving uncommon synchronization tooling.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Family \/ Product<\/strong><\/td>\n<td><strong>Protection<\/strong><\/td>\n<td><strong>Reference documents<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Microsoft Teams<\/td>\n<td>Review external collaboration policies and ensure users receive clear external sender notifications when interacting with cross\u2011tenant contacts. Consider device\u2011 or identity\u2011based access requirements prior to granting remote support sessions.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/trusted-organizations-external-meetings-chat\">https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/trusted-organizations-external-meetings-chat<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/mdo-support-teams-about\">https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/mdo-support-teams-about<\/a><\/td>\n<\/tr>\n<tr>\n<td>Microsoft Defender for Office 365<\/td>\n<td>Enable Safe Links for Teams conversations with time-of-click verification, and ensure zero-hour auto purge (ZAP) is active to retroactively quarantine weaponized messages.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/safe-links-about\">https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/safe-links-about<\/a><\/td>\n<\/tr>\n<tr>\n<td>Microsoft Defender for Endpoint<\/td>\n<td>Disable or restrict remote management tools to authorized roles, enable standard ASR rules in block mode, and apply WDAC to prevent DLL sideloading from ProgramData and AppData paths used by these actors.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/attack-surface-reduction-rules-reference\">https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/attack-surface-reduction-rules-reference<\/a><\/td>\n<\/tr>\n<tr>\n<td>Microsoft Entra ID<\/td>\n<td>Enforce Conditional Access requiring MFA and compliant devices for administrative roles, restrict WinRM to authorized management workstations, and monitor for Rclone or similar synchronization utilities used for data exfiltration via hunting or custom alerts tuned to your environment.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/overview\">https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/overview<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/advanced-hunting-overview\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/advanced-hunting-overview<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/custom-detections-overview\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/custom-detections-overview<\/a><\/td>\n<\/tr>\n<tr>\n<td>Network Controls<\/td>\n<td>Enable network protection to block implant C2 beaconing to poor-reputation and newly registered domains, and alert on registry modifications to ASEP locations by non-installer processes.&nbsp; Hunting and custom detections tuned to your environment will assist in detecting network threats.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/network-protection\">https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/network-protection<\/a><\/td>\n<\/tr>\n<tr>\n<td>Education<\/td>\n<td>The attackers will often initiate Teams calls with their targets to talk them through completing actions that result in machine compromise. It may be useful to establish a verbal authentication code between IT Helpdesk and employees: a key phrase that an attacker is unlikely to know. Inform employees how IT Helpdesk would normally reach out to them: which medium(s) of communication? Email, Teams, Phone calls, etc. What identifiers would those IT Helpdesk contacts have? Domain names, aliases, phone numbers, etc. Show example images of your Helpdesk vs. an attacker impersonating them over your communication medium. &nbsp;Show examples of how to identify external versus internal Teams communications, block screens, message and call reporting, as well as how to identify a display name vs. the real caller\u2019s name and domain.&nbsp; Inform employees that URLs shared by an external Helpdesk account leading to Safe Links warnings about malicious websites are extremely suspicious. They should report the message as phish and contact your security team. &nbsp; If they receive any URLs from IT Helpdesk that involve going to a webpage for security updates or spam mailbox cleanings, then they should report that to your security team. &nbsp;Treat unsolicited and unexpected external contact from IT Helpdesk as inherently suspicious.<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/07\/disrupting-threats-targeting-microsoft-teams\/\">Disrupting threats targeting Microsoft Teams | Microsoft Security Blog<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<h3 class=\"wp-block-heading\" id=\"microsoft-protection-outcomes\">Microsoft protection outcomes<a id=\"_msocom_1\"><\/a><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Family \/ Product<\/strong><\/td>\n<td><strong>Protection in addition to detections.<\/strong><\/td>\n<td><strong>Reference Documents<\/strong><\/td>\n<\/tr>\n<tr>\n<td>AI driven detection &amp; attack disruption<\/td>\n<td>When Defender detects credential\u2011backed WinRM lateral movement following a Quick Assist session, Automatic Attack Disruption can suspend the originating user session and contain the users prior to domain\u2011controller interaction &nbsp;\u2014 limiting lateral movement before your SOC engages. Look for incidents tagged \u201cAttack Disruption\u201d in your queue.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/automatic-attack-disruption\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/automatic-attack-disruption<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/configure-attack-disruption\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/configure-attack-disruption<\/a><\/td>\n<\/tr>\n<tr>\n<td>Cross-family \/ product incident correlation<\/td>\n<td>Teams\/MDO, Entra ID, and MDE signals are automatically correlated into unified incidents. This entire attack chain surfaces as one multi-stage incident \u2014 not dozens of disconnected alerts. Review \u201cMulti-stage\u201d incidents for the full story.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/incident-queue\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/incident-queue<\/a><\/td>\n<\/tr>\n<tr>\n<td>Threat analytics and continuous tuning<\/td>\n<td>Threat analytics reports for these TTPs include exposure assessments and mitigations for your environment. Detection logic is continuously updated to reflect evolving tradecraft. Check your Threat Analytics dashboard for reports tagged to these Storm actors.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/threat-analytics\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/threat-analytics<\/a><\/td>\n<\/tr>\n<tr>\n<td>Teams external message accept\/block controls<\/td>\n<td>When an external user initiates contact, Teams presents the recipient with a message preview and an explicit Accept or Block prompt before any conversation begins.&nbsp; Blocking prevents future messages and hides your presence status from that sender.<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/teams-security-best-practices-for-safer-messaging\">https:\/\/learn.microsoft.com\/en-us\/microsoftteams\/teams-security-best-practices-for-safer-messaging<\/a><\/td>\n<\/tr>\n<tr>\n<td>Security recommendations<\/td>\n<td>Following security recommendations can help in improving the security posture of the org. Apply UAC restrictions to local accounts on network logonsSafe DLL Search ModeEnable Network ProtectionDisable &#8216;Allow Basic authentication&#8217; for WinRM Client\/Service<\/td>\n<td><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-vulnerability-management\/tvm-security-recommendation\">https:\/\/learn.microsoft.com\/en-us\/defender-vulnerability-management\/tvm-security-recommendation<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<a id=\"_msocom_1\"><\/a><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender provides pre-breach and post-breach coverage for this campaign, supported by the &nbsp;generic and specific alerts listed below.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Tactic<\/strong><\/td>\n<td><strong>Observed activity<\/strong><\/td>\n<td><strong>Microsoft Defender coverage<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Initial Access<\/td>\n<td>The actor&nbsp;initiates&nbsp;a cross\u2011tenant Teams chat or&nbsp;call from an often newly created&nbsp;tenant using an IT\/Help\u2011Desk persona<\/td>\n<td><strong>Microsoft Defender for Office 365<\/strong> &#8211; Microsoft Teams chat initiated by a suspicious external user &#8211; IT Support Teams Voice phishing following mail bombing activity &#8211; A user clicked through to a potentially malicious URL. &#8211; A potentially malicious URL click was detected. <strong>\u00a0<\/strong> <\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> &#8211; Possible initial access from an emerging threat<\/td>\n<\/tr>\n<tr>\n<td>Execution&nbsp;<\/td>\n<td>The attacker gains interactive control via&nbsp;remote management tools&nbsp;to include&nbsp;Quick Assist.<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; Suspicious activity using Quick Assist &#8211; Uncommon remote access software &#8211; Remote monitoring and management software suspicious activity<\/p>\n<p><strong>Microsoft Defender Antivirus<\/strong><br \/>&#8211; Trojan:Win64\/DllHijack.VGA!MTB &#8211; Trojan:Win64\/DllHijack.VGB!MTB &#8211; Trojan:Win64\/Tedy!MTB\u00a0 &#8211; Trojan.Win64.Malgent\u00a0 &#8211; Trojan:Win64\/Zusy!MTB<\/td>\n<\/tr>\n<tr>\n<td>Lateral Movement<\/td>\n<td>Attacker pivots via WinRM to target high\ufffcvalue assets (e.g., domain controllers).<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; Suspicious sign-in activity &#8211; Potential human-operated malicious activity &#8211; Hands-on-keyboard attack involving multiple devices<\/td>\n<\/tr>\n<tr>\n<td>Persistence<\/td>\n<td>Runtime environment validated and encoded loader state stored within user registry.<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; Suspicious registry modification<\/td>\n<\/tr>\n<tr>\n<td>Defense Evasion &amp; Privilege Escalation<\/td>\n<td>DLL Side-Loading (e.g., AcroServicesUpdater2_x64.exe, ADNotificationManager.exe,&nbsp;or DlpUserAgent.exe)<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; An executable file loaded an unexpected DLL file <\/p>\n<p><strong>Microsoft Defender Antivirus<\/strong><br \/>&#8211; Trojan:Win64\/DllHijack.VGA!MTB &#8211; Trojan:Win64\/DllHijack.VGB!MTB &#8211; Trojan:Win64\/Tedy!MTB\u00a0 &#8211; Trojan.Win64.Malgent\u00a0 &#8211; Trojan:Win64\/Zusy!MTB<\/td>\n<\/tr>\n<tr>\n<td>Command &amp; Control<\/td>\n<td>The implant or sideloaded host typically beacons over HTTPS<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; Connection to a custom network indicator &#8211; A file or network connection related to a ransomware-linked emerging threat activity group detected<\/td>\n<\/tr>\n<tr>\n<td>Data Exfiltration<\/td>\n<td>Widely available&nbsp;file\u2011synchronization&nbsp;utility Rclone to systematically transfer data<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong><br \/>&#8211; Possible data exfiltration<\/td>\n<\/tr>\n<tr>\n<td>Multi-tactic<\/td>\n<td>Many alerts span across multiple tactics or stages of an attack and cover many platforms.<\/td>\n<td><strong>Microsoft Defender (All)<\/strong> &#8211; Multi-stage incident involving Execution &#8211; Remote management event after suspected Microsoft Teams IT support phishing &#8211; An Office application ran suspicious commands<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h3>\n<p class=\"wp-block-paragraph\">Security teams can use the advanced hunting capabilities in Microsoft Defender XDR to proactively look for indicators of exploitation.<a id=\"_msocom_1\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>A. Teams \u2192 RMM correlation<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nlet _timeFrame = 30m;\n\/\/ Teams message signal let _teams = MessageEvents | where Timestamp > ago(14d) \/\/| where SenderDisplayName contains \"add keyword\" \/\/ or SenderDisplayName contains \"add keyword\" | extend Recipient = parse_json(RecipientDetails) | mv-expand Recipient | extend VictimAccountObjectId = tostring(Recipient.RecipientObjectId), VictimRecipientDisplayName = tostring(Recipient.RecipientUserDisplayName) | project TTime = Timestamp, SenderEmailAddress, SenderDisplayName, VictimRecipientDisplayName, VictimAccountObjectId;\n\/\/ RMM launches on endpoint side\nlet _rmm = DeviceProcessEvents | where Timestamp > ago(14d) | where FileName in~ (\"QuickAssist.exe\", \"AnyDesk.exe\", \"TeamViewer.exe\") | extend VictimAccountObjectId = tostring(InitiatingProcessAccountObjectId) | project DeviceName, QTime = Timestamp, RmmTool = FileName, VictimAccountObjectId;\n_teams\n| where isnotempty(VictimAccountObjectId)\n| join kind=inner _rmm on VictimAccountObjectId\n| where isnotempty(DeviceName)\n| where QTime between ((TTime) .. (TTime +(_timeFrame)))\n| project DeviceName, SenderEmailAddress, SenderDisplayName, VictimRecipientDisplayName, VictimAccountObjectId, TTime, QTime, RmmTool\n| order by QTime desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>B. Execution<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nDeviceProcessEvents\n| where Timestamp > ago(7d)\n| where InitiatingProcessFileName =~ \"cmd.exe\"\n| where FileName =~ \"cmd.exe\"\n| where ProcessCommandLine has_all (\"\/S \/D \/c\", \"\\\" set \/p=\\\"PK\\\"\", \"1>\")\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>C. ZIP \u2192 ProgramData service path \u2192 signed host sideload<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nlet _timeFrame = 10m;\nlet _armOrDevice = DeviceFileEvents | where Timestamp > ago(14d) | where FolderPath has_any ( \"C:\\\\ProgramData\\\\Adobe\\\\ARM\\\\\", \"C:\\\\ProgramData\\\\Microsoft\\\\DeviceSync\\\\\", \"D:\\\\ProgramData\\\\Adobe\\\\ARM\\\\\", \"D:\\\\ProgramData\\\\Microsoft\\\\DeviceSync\\\\\") and ActionType in (\"FileCreated\",\"FileRenamed\") | project DeviceName, First=Timestamp, FileName;\nlet _hostRun = DeviceProcessEvents | where Timestamp > ago(14d) | where FileName in~ (\"AcroServicesUpdater2_x64.exe\",\"DlpUserAgent.exe\",\"ADNotificationManager.exe\") | project DeviceName, Run=Timestamp, Host=FileName;\n_armOrDevice\n| join kind=inner _hostRun on DeviceName\n| where Run between (First .. (First+(_timeFrame)))\n| summarize First=min(First), Run=min(Run), Files=make_set(FileName, 10) by DeviceName, Host\n| order by Run desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>D. PowerShell \u2192 high\u2011risk TLD \u2192 writes %AppData%\/Roaming EXE<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nlet _timeFrame = 5m;\nlet _psNet = DeviceNetworkEvents\n| where Timestamp > ago(14d)\n| where InitiatingProcessFileName in~ (\"powershell.exe\",\"pwsh.exe\")\n| where RemoteUrl matches regex @\"(?i)\\.(top|xyz|zip|click)$\"\n| project DeviceName, NetTime=Timestamp, RemoteUrl, RemoteIP;\nlet _exeWrite = DeviceFileEvents\n| where Timestamp > ago(14d)\n| where FolderPath has @\"\\AppData\\Roaming\\\" and FileName endswith \".exe\"\n| project DeviceName, WTime=Timestamp, FileName, FolderPath, SHA256;\n_psNet\n| join kind=inner _exeWrite on DeviceName\n| where WTime between (NetTime .. (NetTime+(_timeFrame)))\n| project DeviceName, NetTime, RemoteUrl, RemoteIP, WTime, FileName, FolderPath, SHA256\n| order by WTime desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>E. Registry breadcrumbs \/ ASEP anomalies<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nDeviceRegistryEvents\n| where Timestamp > ago(30d)\n| where RegistryKey has @\"\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\"\n| where RegistryValueName in~ (\"UCID\",\"UFID\",\"XJ01\",\"XJ02\",\"UXMP\")\n| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, PreviousRegistryValueData, InitiatingProcessFileName\n| order by Timestamp desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>F. Non\u2011browser process \u2192 API\u2011Gateway \u2192 internal AD protocols<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nlet _timeFrame = 10m;\nlet _net1 = DeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl has \".execute-api.\" | where InitiatingProcessFileName !in~ (\"chrome.exe\",\"msedge.exe\",\"firefox.exe\") | project DeviceName, Proc=InitiatingProcessFileName, OutTime=Timestamp, RemoteUrl, RemoteIP;\nlet _net2 = DeviceNetworkEvents | where Timestamp > ago(14d) | where RemotePort in (135,389,445,636) | project DeviceName, Proc=InitiatingProcessFileName, InTime=Timestamp, RemoteIP, RemotePort;\n_net1\n| join kind=inner _net2 on DeviceName, Proc\n| where InTime between (OutTime .. (OutTime+(_timeFrame)))\n| project DeviceName, Proc, OutTime, RemoteUrl, InTime, RemotePort\n| order by InTime desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>G. PowerShell history deletion<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nDeviceFileEvents\n| where Timestamp > ago(14d)\n| where FileName =~ \"ConsoleHost_history.txt\" and ActionType == \"FileDeleted\"\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath\n| order by Timestamp desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>H. Reconnaissance burst (cmd \/ PowerShell)<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nDeviceProcessEvents\n| where Timestamp > ago(14d)\n| where FileName in~ (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\")\n| where ProcessCommandLine has_any ( \"whoami\", \"whoami \/all\", \"whoami \/groups\", \"whoami \/priv\", \"hostname\", \"systeminfo\", \"ver\", \"wmic os get\", \"reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\", \"query user\", \"net user\", \"nltest\", \"ipconfig \/all\", \"arp -a\", \"route print\", \"dir\", \"icacls\"\n)\n| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, ProcessCommandLine\n| summarize eventCount = count(), FileNames = make_set(FileName), InitiatingProcessFileNames = make_set(InitiatingProcessFileName), ProcessCommandLines = make_set(ProcessCommandLine, 5) by DeviceName\n| where eventCount > 2\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>I. Data Exfil<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nDeviceProcessEvents\n| where Timestamp > ago(2d)\n| where FileName =~ \"rclone.exe\" or ProcessVersionInfoOriginalFileName =~ \"rclone.exe\"\n| where ProcessCommandLine has_all (\"copy \", \"--config rclone_uploader.conf\", \"--transfers 16\", \"--checkers 16\", \"--buffer-size 64M\", \"--max-age=3y\", \"--exclude *.mdf\")\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>J. Quick Assist\u2013anchored recon (no staging writes within 10 minutes)<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nlet _reconWindow = 10m; \/\/ common within 1-5 minutes\nlet _stageWindow = 15m; \/\/ common 1-2 minutes after recon, or less\n\/\/ Anchor on RMM let _rmm = DeviceProcessEvents | where Timestamp > ago(14d) | where FileName in~ (\"QuickAssist.exe\", \"AnyDesk.exe\", \"TeamViewer.exe\") | project DeviceName, RMMTime=Timestamp;\n\/\/ Recon commands within X minutes of RMM start (targeted list)\nlet _recon = DeviceProcessEvents | where Timestamp > ago(14d) | where FileName in~ (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\") | where ProcessCommandLine has_any ( \"whoami\", \"hostname\", \"systeminfo\", \"ver\", \"wmic os get\", \"reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\", \"query user\", \"net user\", \"nltest\", \"ipconfig \/all\", \"arp -a\", \"route print\", \"dir\", \"icacls\" ) | project DeviceName, ReconTime=Timestamp, ReconCmd=ProcessCommandLine, ReconProc=FileName;\n\/\/ Suspect staging writes (ZIP\/EXE\/DLL)\nlet _staging = DeviceFileEvents | where Timestamp > ago(14d) | where ActionType in (\"FileCreated\",\"FileRenamed\") | where FileName matches regex @\"(?i).*\\\\.(zip|exe|dll)$\" | project DeviceName, STime=Timestamp, StageFile=FileName, StagePath=FolderPath;\n\/\/ Correlate RMM + recon, then exclude cases with staging writes in the next X minutes\nlet _rmmRecon = _rmm | join kind=inner _recon on DeviceName | where ReconTime between (RMMTime .. (RMMTime+(_reconWindow))) | project DeviceName, RMMTime, ReconTime, ReconProc, ReconCmd;\n_rmmRecon\n| join kind=leftouter _staging on DeviceName\n| extend HasStagingInWindow = iff(STime between (RMMTime .. (RMMTime+(_stageWindow))), 1, 0)\n| summarize HasStagingInWindow=max(HasStagingInWindow) by DeviceName, RMMTime, ReconTime, ReconProc, ReconCmd\n| where HasStagingInWindow == 0\n| project DeviceName, RMMTime, ReconTime, ReconProc, ReconCmd\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>K. Sample Correlation Query Between Chat, First Contact, and Alerts<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; title: ; notranslate\">\nNote. Please modify or tune for your specific environment. let _timeFrame = 30m; \/\/ Tune: how long after the Teams event to look for matching alerts\nlet _huntingWindow = 4d; \/\/ Tune: broader lookback increases coverage but also cost\n\/\/ Seed Teams message activity and normalize the victim\/join fields you want to carry forward\nlet _teams = materialize ( MessageEvents | where Timestamp > ago(_huntingWindow) | extend Recipient = parse_json(RecipientDetails) \/\/ Optional tuning: add sender\/name\/content filters here first to reduce volume early \/\/| where SenderDisplayName contains \"add keyword\" \/\/ or SenderDisplayName contains \"add keyword\" \/\/ add other hunting terms | mv-expand Recipient | extend VictimAccountObjectId = tostring(Recipient.RecipientObjectId), VictimUPN = tostring(Recipient.RecipientSmtpAddress) | project TTime = Timestamp, SenderUPN = SenderEmailAddress, SenderDisplayName, VictimUPN, VictimAccountObjectId, ChatThreadId = ThreadId\n);\n\/\/ Distinct key sets used to prefilter downstream tables before joining\nlet _VictimAccountObjectId = materialize( _teams | where isnotempty(VictimAccountObjectId) | distinct VictimAccountObjectId\n);\nlet _VictimUPN = materialize( _teams | where isnotempty(VictimUPN) | distinct VictimUPN\n);\nlet _ChatThreadId = materialize( _teams | where isnotempty(ChatThreadId) | distinct ChatThreadId\n);\n\/\/ Find first-seen chat creation events for the chat threads already present in _teams\n\/\/ Tune: add more CloudAppEvents filters here if you want to narrow to external \/ one-on-one \/ specific chat types\nlet _firstContact = materialize( CloudAppEvents | where Timestamp > ago(_huntingWindow) | where Application has \"Teams\" | where ActionType == \"ChatCreated\" | extend Raw = todynamic(RawEventData) | extend ChatThreadId = tostring(Raw.ChatThreadId) | where isnotempty(ChatThreadId) | join kind=innerunique (_ChatThreadId) on ChatThreadId | summarize FCTime = min(Timestamp) by ChatThreadId\n);\n\/\/ Alert branch 1: match by victim object ID\n\/\/ Usually the cleanest identity join if the field is populated consistently\nlet _alerts_by_oid = materialize( AlertEvidence | where Timestamp > ago(_huntingWindow) | where AccountObjectId in (_VictimAccountObjectId) | project ATime = Timestamp, AlertId, Title, AccountName, AccountObjectId, AccountUpn = \"\", SourceId = \"\", ChatThreadId = \"\"\n);\n\/\/ Alert branch 2: match by victim UPN\n\/\/ Useful when ObjectId is missing or alert evidence is only populated with UPN\nlet _alerts_by_upn = materialize( AlertEvidence | where Timestamp > ago(_huntingWindow) | where AccountUpn in (_VictimUPN) | project ATime = Timestamp, AlertId, Title, AccountName, AccountObjectId, AccountUpn, SourceId = \"\", ChatThreadId = \"\"\n);\n\/\/ Alert branch 3: match by chat thread ID\n\/\/ Tune: this is typically the most expensive branch because it inspects AdditionalFields\nlet _alerts_by_thread = materialize( AlertEvidence | where Timestamp > ago(_huntingWindow) | where AdditionalFields has_any (_ChatThreadId) | extend AdditionalFields = todynamic(AdditionalFields) | extend SourceId = tostring(AdditionalFields.SourceId), ChatThreadIdRaw = tostring(AdditionalFields.ChatThreadId) | extend ChatThreadId = coalesce( ChatThreadIdRaw, extract(@\"\/(?:chats|channels|conversations|spaces)\/([^\/]+)\/\", 1, SourceId) ) | where isnotempty(ChatThreadId) | join kind=innerunique (_ChatThreadId) on ChatThreadId | project ATime = Timestamp, AlertId, Title, AccountName, AccountObjectId, AccountUpn = \"\", SourceId, ChatThreadId\n);\n\/\/\n\/\/ add branch 4 to corrilate with host events\n\/\/\n\/\/ Add first-contact context back onto the Teams seed set\nlet _teams_fc = materialize( _teams | join kind=leftouter _firstContact on ChatThreadId | extend FirstContact = isnotnull(FCTime)\n);\n\/\/ Join path 1: Teams victim object ID -> alert AccountObjectId\nlet _matches_oid = _teams_fc | where isnotempty(VictimAccountObjectId) | join hint.strategy=broadcast kind=leftouter ( _alerts_by_oid ) on $left.VictimAccountObjectId == $right.AccountObjectId \/\/ Time bound keeps only alerts near the Teams activity; widen\/narrow _timeFrame to tune sensitivity | where isnull(ATime) or ATime between (TTime .. TTime + _timeFrame) | extend MatchType = \"ObjectId\";\n\/\/ Join path 2: Teams victim UPN -> alert AccountUpn\nlet _matches_upn = _teams_fc | where isnotempty(VictimUPN) | join hint.strategy=broadcast kind=leftouter ( _alerts_by_upn ) on $left.VictimUPN == $right.AccountUpn | where isnull(ATime) or ATime between (TTime .. TTime + _timeFrame) | extend MatchType = \"VictimUPN\";\n\/\/ Join path 3: Teams chat thread -> alert chat thread\nlet _matches_thread = _teams_fc | where isnotempty(ChatThreadId) | join hint.strategy=broadcast kind=leftouter ( _alerts_by_thread ) on ChatThreadId | where isnull(ATime) or ATime between (TTime .. TTime + _timeFrame) | extend MatchType = \"ChatThreadId\";\n\/\/\n\/\/ add branch 4 for host events\n\/\/\n\/\/ Merge all match paths and collapse multiple alert hits per Teams event into one row\nunion _matches_oid, _matches_upn, _matches_thread\n| summarize AlertTitles = make_set(Title, 50), AlertIds = make_set(AlertId, 50), MatchTypes = make_set(MatchType, 10), FirstAlertTime = min(ATime) by TTime, SenderUPN, SenderDisplayName, VictimUPN, VictimAccountObjectId, ChatThreadId,\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\">Protecting your organization from collaboration\u2011based impersonation attacks as demonstrated throughout this intrusion chain, cross\u2011tenant helpdesk impersonation campaigns rely less on platform exploitation and more on persuading users to initiate trusted remote access workflows within legitimate enterprise collaboration tools such as Microsoft Teams. <\/p>\n<p class=\"wp-block-paragraph\">Organizations should treat any unsolicited external support contact as inherently suspicious and implement layered defenses that limit credential\u2011backed remote sessions, enforce Conditional Access with MFA and compliant device requirements, and restrict the use of administrative protocols such as WinRM to authorized management workstations. At the endpoint and identity layers, enabling Attack Surface Reduction (ASR) rules, Zero\u2011hour Auto Purge (ZAP), Safe Links for Teams messages, and network protection can reduce opportunities for sideloaded execution and outbound command\u2011and\u2011control activity that blend into routine HTTPS traffic. <\/p>\n<p class=\"wp-block-paragraph\">Finally, organizations should reinforce user education\u2014such as establishing internal helpdesk authentication phrases and training employees to verify external tenant indicators\u2014to prevent adversaries from converting legitimate collaboration workflows into attacker\u2011guided remote access and staged data exfiltration pathways.<\/p>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/MicrosoftDefenderforOffice365Blog\/protection-against-email-bombs-with-microsoft-defender-for-office-365\/4418048\" target=\"_blank\" rel=\"noreferrer noopener\">Protection Against Email Bombs with Microsoft Defender for Office 365 | Microsoft Community Hub<\/a><\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoftdefenderforoffice365blog\/protection-against-multi-modal-attacks-with-microsoft-defender\/4438786\" target=\"_blank\" rel=\"noreferrer noopener\">Protection against multi-modal attacks with Microsoft Defender | Microsoft Community Hub<\/a><\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/16\/help-on-the-line-how-a-microsoft-teams-support-call-led-to-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">Help on the line: How a Microsoft Teams support call led to compromise | Microsoft Security Blog<\/a><\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/07\/disrupting-threats-targeting-microsoft-teams\/\" target=\"_blank\" rel=\"noreferrer noopener\">Disrupting threats targeting Microsoft Teams | Microsoft Security Blog<\/a><\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from\u202fJesse Birch, Sagar Patil, Balaji Venkatesh S (DEX), Eric Hopper, Charu Puhazholi<\/em>,\u00a0<em>and other members of Microsoft Threat Intelligence.<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn More<\/h2>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/ai-agent-protection\" target=\"_blank\" rel=\"noreferrer noopener\">securing Copilot Studio agents with Microsoft Defender<\/a>\u202f\u00a0<a id=\"_msocom_1\"><\/a><\/li>\n<li class=\"wp-block-list-item\">Evaluate your AI readiness with our latest\u00a0<a href=\"https:\/\/microsoft.github.io\/zerotrustassessment\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zero Trust for AI workshop<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/real-time-agent-protection-during-runtime\" target=\"_blank\" rel=\"noreferrer noopener\">Protect your agents in real-time during runtime (Preview)<\/a><\/li>\n<li class=\"wp-block-list-item\">Explore\u202f<a href=\"https:\/\/eurppc-word-edit.officeapps.live.com\/we\/%E2%80%A2%09https:\/learn.microsoft.com\/en-us\/microsoft-365-copilot\/extensibility\/copilot-studio-agent-builder\" target=\"_blank\" rel=\"noreferrer noopener\">how to build and customize agents with Copilot Studio Agent Builder<\/a>\u00a0<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-ai-security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 Copilot AI security documentation<\/a>\u00a0<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/11\/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails\/\" target=\"_blank\" rel=\"noreferrer noopener\">How Microsoft discovers and mitigates evolving attacks against AI guardrails<\/a>\u00a0<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/18\/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook\/\">Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/18\/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are abusing external Microsoft Teams collaboration to impersonate IT helpdesk staff and convince users to grant remote access. Once inside, attackers can abuse legitimate tools and standard admin protocols to move laterally and exfiltrate data while appearing as routine IT support\u2014activity Microsoft Defender helps detect across Teams, endpoint, and identity telemetry.<br \/>\nThe post Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-60502","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cross\u2011tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cross\u2011tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-18T12:55:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"24 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook\",\"datePublished\":\"2026-04-18T12:55:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/\"},\"wordCount\":3515,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-38.webp\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/\",\"name\":\"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-38.webp\",\"datePublished\":\"2026-04-18T12:55:45+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-38.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-38.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cross\u2011tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/","og_locale":"en_US","og_type":"article","og_title":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cross\u2011tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-18T12:55:45+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"24 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook","datePublished":"2026-04-18T12:55:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/"},"wordCount":3515,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/","url":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/","name":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp","datePublished":"2026-04-18T12:55:45+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-38.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cross%e2%80%91tenant-helpdesk-impersonation-to-data-exfiltration-a-human-operated-intrusion-playbook\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cross\u2011tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60502"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60502\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}