In May 2024, Microsoft Threat Intelligence published an advisory on an actor they track as Storm-1811. The group runs a social-engineering chain that ends in Black Basta ransomware. Two years later the playbook is still landing, because most organizations have not closed the two doors it walks through: Microsoft Teams external chat, and the Quick Assist remote-help tool that ships with every modern Windows install.
This one is worth understanding because it does not look like a ransomware attack until the encryption starts. Until that moment it looks like a customer-service problem.
The Attack in 90 Seconds
Storm-1811 starts by flooding the target user's inbox with thousands of legitimate subscription confirmations. The target sees their inbox melt. Within minutes, "IT support" calls (or messages on Microsoft Teams) offering to help with the email problem. The user accepts. The attacker walks them through opening Quick Assist (or installing AnyDesk, ScreenConnect, or TeamViewer), gets remote control, and within hours drops Black Basta ransomware across the network.
From the user's perspective, this looks like a normal "IT helped me with a problem." From a security tool's perspective, the activity is legitimate Microsoft Teams traffic, legitimate Quick Assist usage, and legitimate PsExec execution. The attacker never sends a phish email. They never deliver a malicious attachment. The malicious payload arrives over a screen-share session the user consented to.
Every step until the ransomware payload uses Microsoft-supported features for their intended purpose. There is no malware to block, no link to flag, no anomalous network flow to alert on. Detection has to happen at the policy and configuration layer, not the runtime layer.
The Full Kill Chain
The Storm-1811 attack has six stages. Each one is observable in retrospect, but only stage 6 trips a traditional alert.
Stage 1: Email Bombing
The attacker signs the target's email address up for thousands of newsletters and account-confirmation emails using public sign-up forms. Within 20 to 30 minutes, the user's inbox is unusable. The intent is not delivery (none of those messages are malicious). The intent is creating panic and a plausible reason to call IT.
Stage 2: First Contact
While the bombing is in progress, the attacker contacts the user. By phone, by Microsoft Teams external chat, or both. Microsoft observed Storm-1811 specifically using Teams to call target users from rogue Entra ID tenants designed to look like internal IT (display names like "IT Support" or "Help Desk Admin"). External federation in M365 is on by default, so this works against most organizations without any prior access.
Stage 3: The Cover Story
The attacker tells the user there is an email problem they can help with. They offer to remote in and clean it up. They sound technical, they sound calm, and they reference the user's actual symptoms (the spam flood). The user is in pain. The attacker is offering to fix it. Most people accept.
Stage 4: Remote-Access Tool
The attacker walks the user through opening Quick Assist (built into Windows since version 1607) or downloading a "support tool" that is actually AnyDesk, ScreenConnect, or NetSupport Manager. None of these are malware. They are legitimate remote-management products. They will not be blocked by EDR. They will not trigger a SmartScreen warning. The user grants access voluntarily.
Stage 5: Hands on Keyboard
Now the attacker has interactive control of the user's workstation. They typically run a few rapid commands: enumerate the local network, check for domain credentials, download a second-stage loader. Microsoft has observed Storm-1811 pulling down Qakbot, Cobalt Strike, and other loaders at this stage. None of them are launched as standalone files; they are run inside the legitimate remote-control session.
Stage 6: Ransomware Deployment
From there, Storm-1811 typically pivots to PsExec to push Black Basta across the domain. This is the first stage that produces traditional indicators (Cobalt Strike beacons, PsExec executions, file-encryption activity). By the time these light up your SIEM, the dwell time has already been long enough to map the environment, find domain admins, disable backups, and prepare extortion.
Why Defenses Miss It
Walk this through the standard control stack:
- Email gateway: The thousands of newsletter confirmations are legitimate transactional emails from real senders. They are not phish. They will not be quarantined.
- EDR: Quick Assist is signed by Microsoft. AnyDesk, ScreenConnect, NetSupport are legitimate enterprise tools that many organizations actually use. Detection-by-name is too noisy to deploy broadly.
- Web proxy: The remote-access tools download from vendor-owned domains.
- Network monitoring: Teams traffic is encrypted to Microsoft. Quick Assist traffic looks like Microsoft RDP relay traffic.
- User awareness training: Most training programs teach "do not click suspicious links." This attack does not use a link. It uses a phone call.
The gap is structural. Storm-1811 exploits the trust your users place in IT, and the configuration defaults Microsoft ships for Teams external collaboration and Quick Assist availability.
What to Disable in Your Tenant Today
The highest-leverage controls, ranked:
- Restrict Microsoft Teams external communication. In Teams Admin Center, set external access to either Block-by-default or Allow-by-domain-allowlist. Do not leave external chat and calls open to any Microsoft tenant. Most organizations only need to federate with a known handful of partners.
- Remove Quick Assist by policy on workstations that do not need it. Use Intune or Group Policy to uninstall or block it. For workstations where your real help desk uses Quick Assist, restrict it to authenticated sessions initiated by named admin accounts only.
- Block uncommon RMM tools at the proxy. If your organization does not use AnyDesk, ScreenConnect, NetSupport, TeamViewer, or LogMeIn, block their installer domains and executable signatures. Allowlist the one tool your real IT team uses.
- Tier your administrative accounts. A normal user account should not be a path to PsExec across the domain. Implement tiered admin, Local Administrator Password Solution (LAPS), and Privileged Identity Management. Even if Stage 5 succeeds, Stage 6 should not.
- Alert on Quick Assist sessions involving privileged users. Microsoft has added Defender for Endpoint detections for suspicious Quick Assist usage patterns. Make sure those rules are enabled and routed to your SOC, not buried in the dashboard.
- Hunt for ScreenConnect and AnyDesk processes on every workstation weekly. If your IT team does not deploy them, any installation is by definition suspicious.
- Internal IT call-back protocol. Your real help desk should have a known callback number. Train every employee: if "IT" calls you out of the blue and asks for remote access, hang up, call IT yourself using the number on your intranet. Make this a written, drilled procedure.
- Defend against email bombing. Make sure your inbound mail gateway can rate-limit or quarantine sudden bulk-subscription floods to the same recipient. Several vendors now offer specific anti-bombing rules. The bomb is the precursor to the call.
You cannot block Storm-1811 at the endpoint without breaking legitimate tools your IT team needs. The defense has to be configuration: who can call your users on Teams, which RMM products are allowed, who can elevate to admin, and what your real IT help-desk process looks like in writing.
What Cyvatar's Free Scan Tells You
Run Am I Exposed? against your domain. The exposure scan will tell you, from the outside, two of the precondition signals Storm-1811 looks for:
- Microsoft Teams external federation discoverability. If your tenant advertises lyncdiscover or _sipfederationtls records, an attacker can call your users from any rogue tenant without prior access. Most M365 tenants do this by default and never close it down.
- Email security posture. Whether your inbound mail uses EOP defaults only, or whether there is layered protection that would notice 4,000 newsletter confirmations in 20 minutes.
The scan cannot read inside your tenant, so it cannot tell you Quick Assist is enabled or which RMM tools you allow. That part requires authenticated access. But the external signals are enough to know whether an attacker would put your organization on the target list.
The Pattern, Two Years On
Storm-1811 was the first widely-publicized attack chain that fully weaponized Microsoft's default-permissive collaboration features. It will not be the last. Microsoft disclosed Storm-2949 in May 2026, using a similar pattern (vishing plus a native Microsoft feature, in that case Self-Service Password Reset) to take over privileged cloud identities without dropping any malware.
The defensive lesson is the same in both cases. The endpoint is no longer where the attack lives. The control plane is. Your tenant configuration, your federation policy, your privileged-role model, and your written help-desk process are now front-line security controls. They used to be IT hygiene. In 2026, they are the difference between a quiet Tuesday and a ransomware press release.
See What an Attacker Sees
Cyvatar's free external scan checks Teams federation discoverability, email security posture, and 18 other signals an attacker uses to decide whether your organization is a soft target. Takes about 30 seconds.
Run a Free Scan → Talk to Agentic vCISOSources
- Threat actors misusing Quick Assist in social engineering attacks leading to ransomware (Microsoft Security Blog, May 15, 2024)
- Storm-1811 exploits RMM tools to drop Black Basta ransomware (Red Canary)
- Sophos MDR tracks two ransomware campaigns using "email bombing," Microsoft Teams "vishing" (Sophos)
- Black Basta Ransomware Group Affiliates Leveraging Windows Quick Assist for Initial Access (Arctic Wolf)
- Windows Quick Assist Anchors Black Basta Ransomware Gambit (Dark Reading)