When The Help Desk Is The Threat

By Danny Bradbury • 28 May 2026 • 5 min read

Old social engineering attackers never die; they just evolve and get better. Here’s a story of an attack group audacious enough to keep compromising infrastructure in plain sight, and advice on what to do about it.

In late May 2024, Microsoft watched a financially motivated cybercriminal group it tracks as Storm-1811 do something that traditional perimeter controls were not built to see- it logged into Teams, said hello, and asked for help.

The cloud and software giant’s threat intelligence team had already documented the same operators abusing the Quick Assist remote support tool since mid-April that year, but the pivot to Teams gave them a new front door. Storm-1811, Microsoft’s analysts wrote, “is a financially motivated cybercriminal group known to deploy BlackBasta ransomware”, and the tenants they registered for the operation carried display names so generic that they passed unnoticed: ‘Help Desk’, ‘Help Desk IT’, ‘Help Desk Support’, ‘IT Support’.

Since then, the pattern has continued. On 4 November last year, an external user signed into a customer environment under the display name “IT Support”, using the account mostafa.s@dhic.edu.eg. Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target who believed he was speaking to colleagues.

Five months later in March this year, BlueVoyant published the forensics on a related campaign that drops a previously undocumented payload called A0Backdoor and judged it “an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang, which has dissolved after the internal chat logs of the operation were leaked”. The crew has changed; the playbook has not.

This is an ongoing problem. Teams has a four-year history of letting impersonators bend the trust model from the inside. Check Point Research, in a disclosure that ran from March 2024 until the final patch landed at the end of October 2025, documented that attackers could silently overwrite chats by reusing a clientmessageid, spoof notification senders, alter display names in private chats, and forge caller identities in audio and video calls.

Legitimate Tools In Criminal Hands

The reason this works at scale is architectural, not behavioral. Almost every component is sanctioned. Quick Assist ships by default on Windows 11 and is activated by a six-digit code; the MSI installers are digitally signed and hosted in personal Microsoft cloud storage; the malicious hostfxr.dll sideloads itself into a legitimate process and decrypts A0Backdoor only once it is resident in memory, where most endpoint inspection has already finished its work.

Even command-and-control hides in plain sight: rather than the TXT-record DNS tunnels that mature security operations centers have learned to flag, A0Backdoor encodes its instructions in DNS MX queries.

Time For Joined-Up Governance

So, what does governance look like when attackers weaponize your own workflows against you, using features turned on by default?

Higher scrutiny of these features is the starting point, along with disabling features that might be set by default. Security teams might deny B2B chat invitations by flipping the default in Set-CsTeamsMessagingPolicy. They could baseline Quick Assist to a known support workflow, while treating Teams ChatCreated events as a first-class signal alongside endpoint and identity telemetry.

But these aren’t decisions that should be made independently. These attacks work precisely because no single owner sees enough to act. The identity team has no signal in a ChatCreated event it does not consume, while the SOC has no rule for an MX query it never scoped. A unified governance approach involves a unified end-to-end view of the company workflows that use them.

An integrated management system (IMS) is the organizing principle for an end-to-end governance workflow. Under ISO 27001, for example, security and governance teams can review external chat policy under the A.5.15 access rules. Organizations can shine a light on the DNS MX channel by deciding to monitor MX rather than just TXT under A.8.16 (monitoring activities). That kind of joined-up thinking can land ChatCreated and MX telemetry on the same analyst’s screen.

Similarly, the Quick Assist screen-share belongs to desktop engineering under A.8.2 (privileged access rights, including remote desktop tools). The MFA prompt it sidesteps falls under A.5.15 (IAM), while the MSI installations can be monitored systematically under A.8.19 (software installation).

A joined-up understanding of these risks also paves the way for better incident response. If you’ve baked this kind of risk into your control framework, it’s easier to treat a compromise via collaboration software as a recognized scenario and produce a playbook for this under section A.5.24 (incident management planning and preparation).

ISO 27001 is the logical home for work like this because it forces identity, access and incident response to sit inside one continuously audited system rather than three sets of disconnected control owners. That’s exactly the gap that Storm-1811 and its successors keep walking through.