Anyone else seeing fake helpdesk calls through Microsoft Teams? Attacker showed up as "Help Desk"
Posted by seatoskyns@reddit | sysadmin | View on Reddit | 67 comments
Different clients this week reported getting Microsoft Teams calls from accounts labeled: Tag: External — “Help Desk”
If the user picks up, the goal is to walk them through installing a remote access tool.
Worth flagging if you manage M365 environments. Any unsolicited Teams call marked External should be treated as suspicious, no matter what the display name says.
Anyone else seeing this lately?
it4brown@reddit
This attack path has been ongoing for over a year. It has been in the news cycle heavily for the past month. MS has released direct guidance on how to combat these attacks because they're increasing in frequency.
How have you NOT been seeing this?
seatoskyns@reddit (OP)
Yeah, we’ve been aware of it and even sent out a communication around it.
Just hadn’t seen it hit this close, so was curious how widespread it’s been lately.
BillSull73@reddit
Aware of it but didn't act on it by locking down the path?
seatoskyns@reddit (OP)
A lot of environments still need external communication, so it ends up being more about awareness and controls than just blocking it outright.
BillSull73@reddit
Domain allow list though?
godspeedfx@reddit
How many domains do you have in your allow list?
BillSull73@reddit
I work with multiple clients and because of the recent help desk scam using teams, all of them have gone to domain allow. I think the largest one is about 30ish. There's no reason to leave it wide open to the world at this point. It does take an extra process or workflow to get other domains added to the list as people need it. It's really not that big a deal and it's at its security so nobody can really complain about that.
it4brown@reddit
My org got hit heavily last year around this time. We locked down immediately and haven't heard a peep yet. Going by the news cycle and posts around here seems like a new wave is hitting.
seatoskyns@reddit (OP)
Yeah, feels like that
bgdz2020@reddit
Everyone knows this is fake because our HD is too lazy to ever contact anyone.
Glum-Literature-8837@reddit
Greetings coworker.
bgdz2020@reddit
Did you leave me any coffee?
vppencilsharpening@reddit
We just got rolled into the larger parent company outsourcing of Tier 1 and their SOP has them making a teams call to the user.
This should be fun.
seatoskyns@reddit (OP)
😂 jokes aside, that’s probably why this works… people don’t expect IT to call out of nowhere
Inquisitive_idiot@reddit
Dude 💀
_haha_oh_wow_@reddit
No, but you should mess with them: Boot up a VM and let good old Lenny take care of the conversation.
FlyingStarShip@reddit
Just block communication in teams with any domain you don’t need and that’s it.
en-rob-deraj@reddit
Thought that was standard practice.
Witty_Formal7305@reddit
Should be but it was also a pain in the ass to implement after the fact, only recently did MS give you a report of domains people are already chatting with that you can pre-whitelist if you approve them, before it was just send out comms which would be ignored and then flip the switch and wait for the flood of tickets when peoples external chats stop working.
SolidKnight@reddit
And then nobody ever adds anyone to the list and they just shadow IT their comms.
Arudinne@reddit
Ah, the classic scream test.
FlyingStarShip@reddit
After years of reading stuff here I know it is not lol
sryan2k1@reddit
The problem is that most people want unlimited coms with any domain. You don't know when someone will try and reach out to a new person and there is no current feedback of "Hey this could work but your IT people need to add this domain", it simply acts like the email you gave it doesn't exist or they don't use M365. Which is really awful UX.
There isn't even any approval workflows.
FlyingStarShip@reddit
I see no valid reasons for most companies to have communication outside of their own domain, let alone couple of them at most.
sryan2k1@reddit
I talk to vendors and clients all the time via teams chat. Being able to IM my CDW people directly is a huge value add.
man__i__love__frogs@reddit
But you can whitelist the tenants you're allowed to communicate externally with. Tenant id's are also public.
sryan2k1@reddit
How do you know when Susie in HR wants to chat with a partner at another firm? She trys it, it doesn't work and she figures that's how it goes and you never know you're blocking collaboration.
Tr1pline@reddit
I think Teams setting in the cloud can block unsolicited comms from outside in but allow inside out. So users can start the chat if initiated. It's part of Cisa scuba best practice.
man__i__love__frogs@reddit
Because you have a process to onboard a vendor, inventory of vendor contracts, risk registry, etc...
sryan2k1@reddit
All of your own policies apply to external B2B chats including DLP and retention
man__i__love__frogs@reddit
On that note you should block cross tenant synchronization access by default. Don't know what malicious tenants your users are getting invited to as guests.
FlyingStarShip@reddit
I said most don’t need it.
Splask@reddit
It never even occurred to me that an org would allow Teams messages to come from outside of their domain. Why? Ours is completely locked down.
PrincipleExciting457@reddit
At my last org we had constant comms outside of our org for vendors, projects, clients, etc. our entire call center and phone system was built on teams.
sryan2k1@reddit
Talking with vendors, partners, clients. Directly seeing status and easily communicating just as you would internally.
accidentlife@reddit
A number of my vendors use teams for sales discovery calls.
FlyingStarShip@reddit
I said most don’t need it, I am aware of reasons why someone wants it
ZedGama3@reddit
The approval workflow is to create a ticket.
Oh wait... Yeah, I see your point.... 🤦♂️
Frothyleet@reddit
This definitely needs fixing (hopefully they won't add that for free, I'd love for it to be part of a new Teams Ultra Premium Copilot for Approval SKU that we could add on).
reol7x@reddit
My org just mandated direct dial numbers for everyone AND has them in our email signatures. ☠️☠️☠️
espeequeueare@reddit
We had an email bomb come through last Friday at 4PM to a few bigwigs. While we were dealing with that, someone posing as help desk set up a screen share session over Teams with one of them. They tried to use quick assist but fortunately our manager black holed quick assist traffic a while back. Arctic Wolf quarantined the device as well.
Needless to say, we’re looking into locking down external Teams users. But it’s complicated by the fact that we communicate with a lot of vendors through Teams, so it will still be possible, just with some restrictions.
seatoskyns@reddit (OP)
Wow, that was close. Totally get the external comms challenge, tough to lock down completely. A quick company-wide heads up might help while you work through the restrictions.
espeequeueare@reddit
Yeah, after that happened we sent out a communication to all associates that we will not contact employees in that manner and to exercise caution if approached like that. Attempting at the end of the workday on Friday was almost certainly intentional, lol.
seatoskyns@reddit (OP)
End of workday on FRIDAY? That’s evil lol
tgambill87@reddit
I started with my company last year. When I was getting started I noticed we allowed all communication with external domains in teams. I immediately said we should turn that off and was told no because we work with a lot of contractors. A few months pass and we started to get these spam team calls. Most people knew it wasn’t legit but one guy let them take control of his PC and they started to run some powershell scripts. We were able to catch it and contain it so nothing happened. It was really easy to convince them to let me block all domains in teams after that.
seatoskyns@reddit (OP)
Totally get why it was left open for contractors, but once something like that happens it changes the conversation real quick.
Gormless_Shrimp_635@reddit
https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html?m=1
Secret_Account07@reddit
I’ve been getting a ton of scam calls through MS teams lately. Okay not a ton but like 4 in last month. Got 0 in previous 7 years
Shad0wguy@reddit
We had this happen once. After that we moved to an approved domain only policy in teams admin to prevent this.
TheButlr@reddit
Use an Intune policy to block quick assist from being used if you don’t use it in your env
Kuipyr@reddit
You can deploy an MS Store Intune app to uninstall it.
TheButlr@reddit
Doesn’t prevent the app from opening though. Users can easily go to apps.microsoft.com to reinstall it without admin. Should be the following
clybstr02@reddit
We block via our proxy and enable user accounts as needed if helpdesk has to fall back to it
Some_Team9618@reddit
There’s a report in teams you can see the domains you have commutation with. See what’s most frequent then create an approval process for curation of the list of approved domains. If one doesn’t work you need follow your change/approval process to add it.
sryan2k1@reddit
Yep and it finally got us to switched to closed federation with whitelisted domains only sadly.
seatoskyns@reddit (OP)
Yeah, I get that, kind of forces your hand at that point. It’s either fully open or fully locked down with not much in between.
Wabbyyyyy@reddit
This is a common phishing tactic now a days. Lately attackers have been sending a ton of phishing emails to our users (5 every minute often in languages that were not English). After a few minutes, users would get a call on teams from a “help desk” caller ID stating they were from our company’s help desk offering help. The users clearly knew it was fake and hung up providing no other info.
We blocked any external domains from calling on teams as they have a different phone system.
KStieers@reddit
Yes. We saw a stack of these as part of a BlackBasta attack.
We know block direct teams connections except for whitelisted domains...
YSFKJDGS@reddit
This has been a tactic used for a while now, I have seen it for more than a year but it's not nearly as common as regular phishing. The users will get a bunch of spam first, and microsoft has added some detections to this but I wouldn't rely on it.
To defend against it make sure you are blocking non-sanctioned remote access tools like quickassist and others, because if you are blocking those you will severely slow down the attacker.
And the people saying 'just block all external domains'... you might as well say 'I work for a small shop' because for larger enterprises that is not a valid option.
no_your_other_right@reddit
We found that these calls almost always follow an email bomb.
seatoskyns@reddit (OP)
That’s interesting, we haven’t come across that yet, just the Teams calls.
IdleWanderlust@reddit
Bleeping computer posted an article about this trend on 4/20.
https://www.bleepingcomputer.com/news/security/microsoft-teams-increasingly-abused-in-helpdesk-impersonation-attacks/
SkyrakerBeyond@reddit
Yes, intermittently over the past six months.
dcg1k@reddit
if it actually sounds helpful and answers on the first try ... 100% not your Help Desk
xSchizogenie@reddit
Maybe speak for your useless admins. Some admins around the globe see an error and know what to do.
vermyx@reddit
This has happened a few times over the last couple of years. I argued with an end user who "didnt click on anything" who allowed a quicksupport session. Crowdstrike locked down the PC. They weren't happy when I said "bring in the PC and your account is locked until I know what happened. Crowdstrike let me know what happened. I wiped the PC and gave them a clean one and sent out a company wide email about this as employees should know how and what we are going to ask for. In our case the attacker tried to impersonate a former IT person so I use this as i formation training for phishing and impersonation.
seatoskyns@reddit (OP)
The former IT impersonation is a great (and scary) example of how convincing these are. Good call using it for training.