Author
Asger Deleuran Strunk
Published
01. September 2025
The following happened: At one organization, a user's mailbox was flooded with over 2,000 emails from a wide variety of sources at short notice. A cyber attacker had subscribed the affected person to hundreds of newsletters, paralyzing the mailbox in no time at all. A case for InfoGuard's Computer Security Incident Response Team (CSIRT). But first things first.
In this tense situation, an unknown caller contacted the user via Microsoft Teams and pretended to be a support employee. With detailed knowledge of the problem and a professional demeanor, the caller gained the trust of the person concerned in no time at all.
Feeling that he was in safe hands, the user expected his problem to be solved quickly. In an emergency, he was tempted to open a remote access tool (RAT) without realizing that he was giving a cybercriminal control over his computer.
The attacker then tried to install a permanent backdoor on the system disguised as a spam filter. Fortunately, however, the restricted user rights thwarted this attempt.
When the user noticed that the supposed supporter was unable to install any software despite repeated attempts, he became suspicious. He hung up and contacted the internal IT department, which immediately took the necessary measures to contain the attack.
Forensic search for clues in the Microsoft 365 cosmos
As a result of this incident, InfoGuard's CSIRT experts were tasked with searching for further traces of a compromise and conducting a professional, in-depth analysis of the incident.
Immediate measure: reading the unified audit logs (UAL)
One of the CSIRT's immediate measures was to read and analyze the UAL logs in the customer's Microsoft 365 tenant. UAL logs are the central source for user activities in the Microsoft environment and are often the first port of call in forensic investigations.
Particularly problematic: Although the default value for Microsoft 365 UAL logs has been set to "Enabled" for new tenants for years, the InfoGuard CSIRT repeatedly finds tenants in which these logs are not activated - even though their activation would not cause any additional effort. Without activated logs, it is difficult to investigate incidents in Microsoft 365, as only the "Entra Audit" and logon logs are usually available and these contain most of the activities of attackers after an account takeover.
On the attacker's trail with audit data
The first step of the forensic analysis was to determine the start time of the Teams chat activity, as this was the first action detected by the attacker on the customer network. This was achieved by analyzing the UAL log history in relation to the "ChatCreated" operation.
Figure 1: UAL audit data
As Figure 1 shows, the UAL documents an externally started chat with several revealing details, such as the "ChatThreatId", which clearly proves the origin of the chat. The "ChatThreatId" is divided into sections such as "19:user-1-id_user-2-id:@unq.gbl.spaces". This means that "user-1-id" belongs to the ID of the attacker in the Microsoft tenant controlled by him (highlighted in red in Figure 1). The "user-2-id" corresponds to the ID of the user in the tenant of the customer receiving the chat.
With this user ID of the attacker, the tenant used could be easily identified. This can be determined by querying the Azure and Office 365 APIs or simply using the Open Source Intelligence (OSINT) tool from Dr. Nestori Syynimaa (@DrAzureAD) - see Figure 2.
Figure 2: Screenshot of AADInternals for the attacker's Microsoft tenant.
The targeted analysis of the UAL audit data, in which the chat participants are listed (including UPN, domain name and display name of the attacker (marked in red)), proved to be even more efficient.
Figure 3: Member area of the UAL audit data (attacker's data marked in red).
In Figure 3, it is noticeable that the attacker chose the display name "Help Desk Manager", which made it difficult for the user to recognize and identify the call as external.
RAT forensics: Searching for traces in the end device
After InfoGuard's CSIRT confirmed malicious Teams activity in the Microsoft 365 UAL, the investigation shifted to analyzing the endpoint that the attacker had compromised with a RAT.
Since the exact timing of the Teams chat was now known, the starting point of the forensic investigation could be precisely determined at the endpoint. The user reported that the attacker had taken control during the Teams call, whereupon InfoGuard's specialists began forensic analysis of artifacts. The aim: to find evidence of the use of known RAT tools.
"UserAssist" is a function in Microsoft Windows that records which programs users start via the Windows user interface. This function was introduced with Windows 2000 and still exists today in Windows 10/11. The data collected in this way is stored in the Windows registry and is used by Windows to optimize the user experience, e.g. for the "Frequently used programs" display in the Start menu. They also provide information about the application path, the number of launches and the time of the last execution - which is valuable for reconstructing user behavior.
Figure 4 shows the UserAssist data from the customer's end device. It shows that the integrated Microsoft RAT tool "Quick Assist" was started around three minutes after the start of the call. It is also striking that Quick Assist was only run once, which means that it was not otherwise part of everyday use on this device.
Figure 4: UserAssist from the customer's end device.
Danger in the proxy: Quick Assist as a gateway
The customer was also using a proxy that filtered all web traffic and blocked all connections that were categorized as remote access tools. However, as Quick Assist is part of the Microsoft suite, the application runs via the central server "remoteassistance[.]support[.]services[.]microsoft[.]com" and was covered by a general rule that allows all traffic to Microsoft services - this was necessary due to the customer's Microsoft 365 setting.
Figure 5: Proxy log
Figure 5 shows that the connection to the backend of Microsoft Quick Assist was allowed by the proxy. The attacker then opened a browser, entered a Bit.ly short URL and downloaded a "backdoor" disguised as a spam filter. The Bit.ly URL redirected to a SharePoint page of an Indonesian school, where a student's user account was presumably compromised and abused. Even though the proxy log did not reveal the complete SharePoint URL, the full address could be reconstructed via artifacts in the end device's browser.
Figure 6: Favicon cache on the victim's end device.
Figure 6 shows that the full URL of the SharePoint page controlled by the attacker could be reconstructed by analyzing the favicon cache in the browser. The area marked in red shows that the Bit.ly URL referred to a ZIP file called "spamfilter.zip". At the time of the analysis, the file was neither available on the end device nor on SharePoint.
UserAssist and AmCache: Key to tool analysis
By re-evaluating UserAssist (Figure 4), InfoGuard's experts were able to determine that "spamfilter.zip" contained at least two binaries named "SecureSensor.exe" and "ScreenConnect.ClientSetup.exe", which the attacker had attempted to execute.
The SHA1 hash of the "SecureSensor.exe" file could be traced via the "AmCache" of the end device, which revealed that it was a keylogger. The file "ScreenConnect.ClientSetup" serves as the installer of the well-known RAT ScreenConnect, which would have given the attacker persistent access if it had been installed. Fortunately, however, the user rights in the network were set so that normal users could not install any software.
Since the attacker was unable to gain permanent access to the victim device, he began to collect information about the user's VPN access. He downloaded the VPN profile XML file from the end device to obtain the complete configuration and saved the file as "verification.zip", presumably to gain access to the internal network after the ScreenConnect installation failed.
Figure 7: VPN profile of the victim copied by the attacker.
Exfiltration slowed down: Proxy log as a protective shield
Once the attacker had collected the VPN profile, he initiated the exfiltration of the ZIP file via various file-sharing sites. However, as the victim device was protected by a proxy solution, all file-sharing sites were blocked. This was also evident in the proxy log, where several requests to different sites were registered.
Figure 8: Proxy log shows attempts to exfiltrate files.
After several attempts to exfiltrate data, the victim became suspicious and ended the conversation with the attacker and the session. He then contacted the internal IT team, who immediately changed the password and isolated the device.
The call lasted around 40 minutes. Immediately after the call ended, the attacker began attacking the victim's Office 365 account with brute force attacks.
Figure 9: Attempts to log in to the victim's Office 365 account.
4 concrete security recommendations from incident response practice
By default, Microsoft Teams is set so that all external tenants can contact users. However, our experience shows that this is not a secure solution for companies.
To prevent such attacks, we recommend four effective measures:
- Restrict permission to contact to approved external tenants (whitelist approach). This effectively prevents such attack patterns.
- Tools such as Maester.dev and PingCastle should be used regularly. This allows Microsoft 365 and Active Directory setups to be checked and audited for vulnerabilities and misconfigurations.
- Clearly define authorized remote access tools and consistently block all others to prevent unwanted access.
- Ensure that the Unified Audit Logs (UAL) are activated in the Microsoft 365 tenant so that all security-relevant activities can be tracked.
Ultimately, the security level of an organization determines whether an attack is successfully thwarted or becomes a serious case.
Calm in the cyber storm thanks to real-time response
Complex chains of fraud, as seen in this example, can be reliably fended off with holistic defense strategies. With a proactively managed SOC and incident response service (CSIRT), organizations can keep a cool head even in the face of complex waves of attacks.
The ISO 27001-certified Cyber Defense Center combines continuous expert monitoring, state-of-the-art attack detection and clear escalation paths - around the clock.
This allows you to take responsibility for your company's cyber security and effectively stop any cyber threat before it becomes a security-critical incident. You also create lasting resilience for your company.
Act today before cyber criminals do! With proactive managed SOC and incident response services, you and your organization are one step ahead of cyber criminals. Our team of experts will be happy to advise you and accompany you in partnership and with proven expertise in the evaluation and implementation of the most secure and suitable solution for your company.
Image caption: Image generated with AI
