Since a while, the Microsoft Quick Assist is abused in several social engineering attacks. In most cases, the attackers try to impersonation through voice phishing (vishing) e.g., they try to trick the user by tell them that they are an Microsoft support employee.
Spoiler
Microsoft will not try to reach out actively call user and ask to use remote support tools!
And by the way: The Microsoft support will never, I mean never, ask users to pay with crypto or gift cards.
Microsoft published a interesting post in the Security blog:
Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.
Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.
If you are not using Quick Assist in your organizations, I would recommend to disable Quick Assist within your organization.
The procedure is relatively simple:
# Remove Quick Assist
Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist -AllUsers -ErrorAction Continue | Remove-AppxPackage -AllUsers -Confirm:$false -Verbose -ErrorAction Continue
I saw the Quick Assist come back after updates or the repair of windows, Therefore, I would recommend to run this as Intune proactive remediation.
And I also recommend to block traffic to the https://remoteassistance.support.services.microsoft.com endpoint:
# Break the domain name
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
($_.Namespace -eq 'remoteassistance.support.services.microsoft.com')
}))
{
Add-DnsClientNrptRule -Namespace 'remoteassistance.support.services.microsoft.com' -NameServers '0.0.0.0' -Verbose -ErrorAction Continue -Confirm:$false
}
This set the nameserver 0.0.0.0 for the host/domain remoteassistance.support.services.microsoft.com, and 0.0.0.0 will never deliver an answer, right?
And if you like to have this as an Intune remediation:
# Intune Detection
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
($_.Namespace -eq 'remoteassistance.support.services.microsoft.com')
}))
{
Write-Host -Object 'Namespace entry was not found'
exit 1
}
else
{
Write-Host -Object 'Namespace entry was found'
exit 0
}
# Intune Remediation
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
($_.Namespace -eq 'remoteassistance.support.services.microsoft.com')
}))
{
Add-DnsClientNrptRule -Namespace 'remoteassistance.support.services.microsoft.com' -NameServers '0.0.0.0' -Verbose -ErrorAction Stop -Confirm:$false
}
That can mitigate the possible abuse issue of Quick Assist.
And you should inform your users, I recommend to send an IT Awareness advisory message to your users.
You can use the Protect yourself from tech support scams support article from Microsoft as source. This article contains a lot of useful information and a end-user friendly video. And you can grab it in many different languages!