A0Backdoor abuses Quick Assist

Windows Quick Assist is supposed to be the safe, built-in way for IT to help a user. That’s exactly why attackers keep reaching for it. The new wrinkle here is what happened after the victim clicked yes — ReliaQuest says a March 2025 campaign used fake IT support over Microsoft Teams to get remote access, then dropped a previously unseen PowerShell backdoor and a new persistence trick that hides in ordinary Windows plumbing. (reliaquest.com) ### What actually got abused? Quick Assist is a legitimate remote-support tool built into Windows. A user shares their screen, then can hand over control to a helper. Microsoft has been warning since May 2024 that financially motivated crews were already abusing it in social-engineering attacks that led to malware, remote-management tools, and sometimes ransomware. The point is simple — the attacker does not need an exploit if the victim grants access themselves. (microsoft.com) ### How did this campaign start? ReliaQuest says the attacker came in through Microsoft Teams, posing as “Technical Support” from a fraudulent Microsoft 365 tenant. That fits a broader pattern Microsoft and Rapid7 both described this spring: external Teams chats or calls that look like internal IT outreach, followed by a request to launch Quick Assist. Once the user accepts, the attacker has an interactive foothold on a real corporate machine. (reliaquest.com) ### Why is Teams such a good lure? Because it feels normal. Email still triggers suspicion. A Teams message from “IT Support” feels like routine work — especially during a noisy day, an outage, or a flood of alerts. Rapid7’s blunt comparison is useful here: letting any external Teams user message staff can be a lot like running email without a gateway filter. The attacker is borrowing trust from the collaboration tool itself. (rapid7.com) ### What was new after the initial access? ReliaQuest’s interesting find was not just the lure but the follow-on tradecraft. The company says the intrusion moved beyond the older Storm-1811 pattern and introduced two fresh pieces: a previously unreported TypeLib COM hijacking method for persistence and a new PowerShell backdoor. That suggests either the crew evolved its toolkit or the activity splintered from earlier Black Basta-linked playbooks into something more customized. (reliaquest.com) ### What is TypeLib hijacking in plain English? Basically, it is registry tampering that tricks Windows into loading the attacker’s code when a legitimate component asks for a COM type library. Think of it like changing the forwarding address in a building directory — the app thinks it is calling a trusted object, but Windows gets quietly redirected to the malicio(reliaquest.com)bvious startup item. (reliaquest.com) ### Why is this harder to catch? Because almost every step rides on trusted software and normal admin behavior. Microsoft’s April 18 intrusion write-up described the same broad playbook — Quick Assist or similar remote help, then signed tools, native protocols like WinRM, later movement, and data staging that can look like routine support work. Defenders are not hunting one loud exploit chain here. They are trying to separate fake helpdesk activity from real helpdesk activity. (microsoft.com) ### What should defenders change first? Start with Teams, not malware signatures. Restrict which external domains can message employees, disable outside conversation starts where possible, and tighten spoof protections. Microsoft also says organizations should consider blocking or uninstalling Quick Assist if they do not trul(microsoft.com)te session, and the later backdoor all look unrelated. (rapid7.com) ### Bottom line This story is not really about one backdoor. It is about how enterprise trust gets turned inside out. If a fake helpdesk call can open the door, the most dangerous malware is the kind that arrives looking like support.