ACCORDING to Microsoft Incident Response, in our eighth Cyberattack Series report the Detection and Response Team (DART) investigated an identity-first, human-operated intrusion that relied on deception and legitimate tools rather than software exploits. After a customer reached out for assistance in November 2025, DART uncovered a campaign built on Microsoft Teams voice phishing (vishing), where a threat actor impersonated IT support and targeted multiple employees.
Following two failed attempts, the threat actor ultimately convinced a third user to grant remote access through Quick Assist, enabling the initial compromise of a corporate device. Once remote interactive access was established, the attacker steered the user to a malicious website under their control, prompting credentials to be entered into a spoofed web form and triggering the download of multiple payloads, including a disguised MSI package that sideload a DLL to establish outbound command-and-control.
The campaign expanded over time with encrypted loaders and proxy-based connectivity, enabling credential harvesting and session hijacking while blending in with normal enterprise activity. The post highlights how defenders must detect and disrupt collaboration-based social engineering before it escalates.