Cybercriminals misusing Quick Assist to perform social engineering attacks, Microsoft warns

Microsoft has issued a warning that cybercriminals are using a legitimate client management tool called Quick Assist to trick people into giving them remote access to their devices, ultimately deploying nasty ransomware.

Quick Assist is a Microsoft application that enables a user to share their Windows or macOS device with another person over a remote connection. The tool is installed by default on devices running Windows 11.

Microsoft Threat Intelligence researchers have been tracking Storm-1811 - a financially motivated cybercriminal group known to deploy Black Basta ransomware - since mid-April. The threat group was caught misusing Quick Assist to target users in social engineering attacks.

The attack sequence begins with impersonation through voice phishing (called vishing) - a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller. For example, threat actors might impersonate IT or help desk personnel, pretending to conduct generic fixes on a device.

Once the target is deceived, the cybercriminals deliver malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.

In response to the observed malicious activity, Microsoft is investigating the use of the Quick Assist application in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in the application to alert users about possible tech support scams.

Microsoft recommends investing in advanced anti-phishing solutions like Microsoft Defender Antivirus and Microsoft Defender for Endpoint which detects components of activity originating from Quick Assist sessions and the follow-on activity.

To minimize the risk of such attacks, Microsoft recommends blocking or uninstalling Quick Assist and other remote management tools when not in use. If you suspect the person connecting to your device is engaging in malicious activity, disconnect immediately and report to your local authorities or relevant IT members within your organization.