CROSS-TENANT helpdesk impersonation is shown as a multi-stage intrusion where threat actors begin by leveraging cross-tenant Microsoft Teams communications, impersonating IT or helpdesk staff to socially engineer users into granting remote access. With consent secured, attackers gain a foothold using remote support tools such as Quick Assist, then perform interactive reconnaissance to confirm privileges and map the environment.
The campaign proceeds through payload placement and trusted application invocation, including DLL sideloading and the use of native admin protocols to pivot, with WinRM-based lateral movement targeting domain controllers and other high‑value assets. Data exfiltration is carried out via the file‑synchronisation tool Rclone, transferring business‑relevant documents to external cloud storage, while attackers attempt to blend activity into normal enterprise operations.
Defences are outlined to reduce risk, such as enforcing MFA, restricting remote management tooling to authorised roles, and enabling Defender ASR rules, ZAP, Safe Links, and network protection. This analysis, according to Microsoft Defender Security Research Team, highlights how attackers rely on legitimate tools and collaboration workflows to extend access and exfiltrate data.