A social engineering campaign abusing Microsoft Teams and Windows Quick Assist is in full swing.

 BlueVoyant warns that attackers are deploying a newly identified malware family, called A0Backdoor, after convincing employees to grant them remote access.

This activity overlaps with tactics previously linked to Blitz Brigantine, also identified as Storm-1811, a financial cluster that Microsoft has linked to the Black Basta ransomware operations.

According to BlueVoyant, the attacks typically begin with an email bombardment, in which the target receives a large number of spam messages and is then contacted by someone impersonating internal technical support via Microsoft Teams.

The attacker offers help to troubleshoot the email issue and convinces the employee to launch Quick Assist, a legitimate Microsoft remote support tool that allows screen sharing and device control.

BlueVoyant discovered that installers placed files in user AppData paths that mimicked legitimate Microsoft software locations and then used DLL installation to execute malicious code.

The campaign is significant because it shows that the same playbook defenders have followed since 2014 still works, but with updated tools and more covert command and control.
For defenders, the lesson is clear: treat Microsoft Teams as an initial access channel, not just a collaboration application.

Organizations should restrict or remove Quick Support where it's not needed, monitor unsolicited external Teams chats, and investigate signed MSI installers or Microsoft binaries that appear in unusual directories with write permissions for the user.