security: Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
Microsoft Security Blog
2026-04-18
Microsoft describes a human-operated intrusion pattern that uses external Microsoft Teams collaboration to impersonate IT helpdesk staff, persuade users to grant remote access, then abuse legitimate tools and admin protocols for lateral movement and data exfiltration. Microsoft Defender can detect related activity across Teams, endpoint, and identity telemetry.