If your end users receive a Teams message from someone claiming to be IT support, they have no reliable way to distinguish your real helpdesk from an attacker. Microsoft's Threat Intelligence team documented a nine-stage attack chain this week where threat actors exploit that gap. They send Teams messages from external tenants, impersonate IT support, convince users to open Quick Assist, and use that foothold to deploy remote monitoring and management software, pivot to domain controllers, and exfiltrate data via Rclone. The full playbook is in the Microsoft Security Blog post from April 18.

The attack works because Teams allows external organizations to initiate conversations with your users by default. The attacker tenant can be freshly registered and look entirely legitimate in the chat UI — the user sees a name and a title, not a domain they can easily verify. Once the user accepts the remote session via Quick Assist, the attacker moves fast: Microsoft's analysis shows reconnaissance typically completes within 30–120 seconds of getting access.

After reconnaissance, the chain continues: DLL side-loading through trusted executables (observed using names like AcroServicesUpdater2, ADNotificationManager, and DlpUserAgent), encoded configuration written to user-context registry locations for persistence, outbound HTTPS to command-and-control infrastructure, WinRM lateral movement toward domain controllers and identity infrastructure, installation of commercial RMM software for a persistent back channel, and finally Rclone to transfer data to external cloud storage.

What to do this week:

1. Restrict Quick Assist to authorized roles only. For most end users, Quick Assist has no legitimate purpose. Remove it via Intune app configuration or group policy, or at minimum restrict it to your internal IT staff and document which accounts are allowed to receive remote sessions.

2. Enable Attack Surface Reduction (ASR) rules in block mode. Several rules directly cover this chain: "Block process creations originating from PSExec and WMI commands," "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," and "Block untrusted and unsigned processes that run from USB." Set them to block, not audit.

3. Implement Windows Defender Application Control (WDAC). The DLL side-loading stage specifically targets trusted executables in ProgramData and AppData paths. WDAC path-based rules prevent unsigned DLLs from loading from those directories.

4. Add a detection rule: Teams message followed by RMM tool execution within 30 minutes. This correlation query surfaces the pattern before exfiltration begins. Your SIEM vendor likely has a starting template; the blog post includes the KQL structure.

5. Review your Teams external access policy. By default, external users from any federated tenant can message your users. Locking external access to a specific allowlist of known partner tenants significantly reduces the attack surface. On April 17, Microsoft also shipped a feature that lets users report suspicious external contacts directly inside Teams — enable the reporting option so your SOC gets visibility even if the attacker gets through.

The reason this matters specifically to MSPs: your clients expect Teams messages from you. If an attacker spoofs your company name in their external tenant, your client's users have no banner telling them the message came from outside your domain. The attack chain documented by Microsoft is built around exactly this trust asymmetry. Get Quick Assist off the endpoints you don't control before someone else gets on them.

Advisories

Brief 1 — CISA KEV adds 8 CVEs on April 20; two with known ransomware campaign use

The CISA Known Exploited Vulnerabilities catalog added 8 CVEs on April 20 in a single batch — all with the same dateAdded value. Two carry the knownRansomwareCampaignUse: Known flag.

The standout: CVE-2025-32975 (CVSS 10.0) in Quest KACE Systems Management Appliance. Authentication bypass via the SSO mechanism allows unauthenticated attackers to impersonate any user, including administrators. Affected versions are 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341, and 14.1.x before 14.1.101. CISA due date: May 4, 2026. NVD entry.

The two ransomware-tagged entries: CVE-2023-27351 (CVSS 7.5) in PaperCut NG/MF — authentication bypass in SecurityRequestFilter affecting versions 15.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8 — and CVE-2024-27199 (CVSS 7.3) in JetBrains TeamCity — path traversal allowing limited admin function access without credentials, versions before 2023.11.4. If you manage print environments or CI/CD pipelines for clients, these two are same-week patches. PaperCut NVD. TeamCity NVD.

Three Cisco Catalyst SD-WAN Manager CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) round out the batch, all added April 20. CVE-2026-20122 carries a CISA compliance deadline of April 23. If you manage SD-WAN Manager deployments, that deadline is today.

Action: Run your vulnerability scanner against the full April 20 KEV batch and flag anything unpatched. Quest KACE's May 4 deadline and the Cisco SD-WAN April 23 deadline are the near-term pressures.

Brief 2 — Fortinet FortiSandbox: two CVSS 9.8 CVEs published April 14

Fortinet published two critical advisories for FortiSandbox on April 14. Both are unauthenticated network-exploitable vulnerabilities.

CVE-2026-39808 (CVSS 9.8): OS command injection via an API endpoint in FortiSandbox 4.4.0 through 4.4.8. Unauthenticated attackers can execute arbitrary commands on the host. NVD entry.

CVE-2026-39813 (CVSS 9.8): Path traversal in the JRPC API enabling unauthenticated privilege escalation. Affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. NVD entry.

Action: If you run FortiSandbox in your environment or for clients, check your version against the affected ranges. On the 4.4.x branch, both CVEs apply. On the 5.0.x branch, CVE-2026-39813 applies. Patch to the fixed versions per the Fortinet PSIRT advisories. Until patched, ensure the management interface is not internet-reachable.

Brief 3 — Zimbra Collaboration Suite XSS added to KEV (CVE-2025-48700)

CISA added CVE-2025-48700 (CVSS 6.1) in Zimbra Collaboration Suite to KEV on April 20. The vulnerability is a cross-site scripting flaw in Zimbra's Classic UI that triggers when a user views a crafted email — no further user interaction required. Affected versions: 8.8.15, 9.0, 10.0, and 10.1. NVD entry.

Action: If you manage Zimbra deployments on behalf of clients, patch to the fixed release or disable the Classic UI if your users can operate with the modern UI. CISA has confirmed active exploitation.

Product changes

Brief 4 — Entra passkeys reach GA; Backup and Recovery enters public preview

Two significant Entra identity changes landed in the last two weeks.

Synced passkeys are now generally available in Microsoft Entra ID. Synced passkeys are FIDO2-based credentials stored in built-in or third-party passkey providers and synced across a user's devices. Admins manage synced passkeys alongside device-bound passkeys through passkey profiles in the authentication methods policy. Entra What's New.

Microsoft Entra Backup and Recovery is in public preview. It automatically backs up critical directory objects — users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, and agent IDs — to a known good state. With Entra ID P1 or P2 licenses, one backup is taken daily and retained for five days. Admins can view available snapshots, generate difference reports, and run recovery jobs. This closes a long-standing gap for tenants recovering from accidental bulk deletes or compromised admin accounts.

Action: If you manage tenants on P1 or P2, verify Entra Backup and Recovery is enabled and test the restore process before you need it. For passkeys, update your authentication methods policy to include passkey profiles if you're planning a phishing-resistant MFA rollout.

Brief 5 — Intune Data Warehouse beta connector retirement starts April 20

The Intune Data Warehouse (beta) connector v1 in Power BI is being retired. The transition begins gradually over two weeks starting April 20, 2026. Power BI reports created after November 2025 already use connector v2 and are unaffected. Reports created before November 2025 may still use the beta connector and will lose data access when the transition completes. Intune What's New.

Action: Audit all Power BI reports that pull from Intune Data Warehouse. Reports using the beta connector need to be migrated to the Intune connector v2 or the OData Feed connector before the two-week transition window closes. The transition is gradual, so there is still time if you move this week.

Brief 6 — Teams adds user-facing reporting for suspicious external contacts

Microsoft shipped a Teams change on April 17: users can now report suspicious external users directly inside Teams, alongside the existing block action. The report surfaces in your security operations or admin tooling, giving you visibility when a user encounters what looks like a social engineering attempt. M365 release communications.

Action: Verify the reporting option is enabled in your Teams admin center. Document the reporting workflow for end users — a one-line addition to your security awareness training covers it. The signal is most valuable when the SOC is set up to triage the reports.

Brief 7 — Entra tenant governance relationships enter public preview

Microsoft's new tenant governance relationships feature is in public preview. It allows admins to request and accept tenant governance relationships, which grant the governing tenant admin access and administrative control over the governed tenant. Entra tenant governance overview.

Action: If you manage client tenants today via per-tenant break-glass accounts or legacy DAP, review whether tenant governance relationships in preview fit your access model. The feature provides scoped GDAP-style access with an audit trail in the governed tenant's logs — relevant if clients ask about access control documentation.

Field notes

Brief 8 — North Korean threat actor using fake job candidates to infiltrate organizations

Microsoft's Threat Intelligence team published guidance on April 21 covering a North Korean state-aligned actor they track as Jasper Sleet. The actor scans external-facing career sites and Workday APIs for job postings, fabricates or steals candidate identities, conducts job interviews via email and Teams, signs offer documents through DocuSign, and gains legitimate account access after hire. Post-hire, accounts are operated from known threat-actor infrastructure.

The detection signals: impossible travel alerts on new-hire accounts in the first weeks, Workday hrrecruiting API access from external accounts, and payroll or account modifications from unfamiliar IP addresses. Microsoft Defender for Cloud Apps can be connected to Workday, DocuSign, Zoom, and Cisco Webex to centralize these signals. Microsoft Security Blog, April 21.

Action: If you handle hiring for IT roles at your MSP or for clients, enable Defender for Cloud Apps connectors on your HR SaaS platforms and configure impossible-travel alerting for new-hire accounts in their first 90 days. The detection guidance in the blog post includes specific queries for Workday API access patterns.

Brief 9 — Kentico Xperience path traversal added to KEV (CVE-2025-2749, CVSS 7.2)

CISA added CVE-2025-2749 (CVSS 7.2) in Kentico Xperience to KEV on April 20. The vulnerability allows authenticated users with Staging Sync Server access to upload arbitrary files to path-relative locations, enabling server-side code execution. Affected versions: through 13.0.178. CISA due date: May 4, 2026. NVD entry.

Action: If you host Kentico Xperience CMS for clients, verify the installed version against the affected range and apply the vendor patch.

Brief 10 — Conditional Access Optimization Agent adds phased policy rollout in public preview

The Conditional Access Optimization Agent — part of Microsoft Security Copilot — now supports phased rollout of any report-only Conditional Access policy in public preview. When you initiate a rollout, the agent analyzes sign-in data, recommends a staged deployment plan starting with smaller user groups, and expands automatically as the rollout proceeds. Entra What's New.

Action: If you manage tenants with report-only CA policies that have been sitting unactivated because you're worried about user impact, this feature is the structured path to turning them on. Review your report-only policy list and queue the highest-priority ones for a phased rollout.