The Initial Flood and the Fake Call
Attackers are initiating intrusions by sending thousands of spam emails to a single employee, a tactic known as email bombing. The deluge overwhelms the target, causing confusion and a sense of urgency. Immediately after, a contact impersonating internal IT support messages the victim through Microsoft Teams. These accounts, created with realistic names like michaelturner@ and professional display names such as Windows Security Help Desk, appear official. This combination of panic and a seemingly helpful colleague from a trusted platform creates a highly effective trap.
Gaining Access and Exfiltrating Data
Once the victim accepts help, the attacker asks them to install remote access tools like Quick Assist or AnyDesk. This grants full control of the computer. After gaining access, in several cases, attackers used legitimate software to steal data. They downloaded portable versions of WinSCP, a standard file transfer tool, to quietly move files off the compromised device. Another incident saw them deliver a malicious ZIP file named Email-Deployment-Process-System.zip through Quick Assist, which contained a Java binary to execute code and steal information. By using trusted tools and official-looking names, the threat actors bypass many standard security controls.
Source: Cybersecuritynews
