Quick Assist, a preinstalled Windows application designed for remote troubleshooting, requires victims to share a six-digit verification code with attackers posing as IT support personnel. Over the past six months, threat actors have refined techniques to deliver malware through deceptive browser add-ons and abuse built-in Microsoft utilities like Quick Assist. A new wave of cyberattacks leveraging browser extensions and trusted system tools has emerged as a critical threat to enterprise security. Mitigation strategies include disabling Quick Assist via Group Policy in enterprise environments and auditing browser extensions for unauthorized or suspicious permissions. These attacks bypass traditional security controls by exploiting user behavior and legitimate software functionalities, creating persistent backdoors even after system remediation efforts. Once granted access, threat actors disable security tools, manipulate registry keys for persistence, and deploy malware. Overwhelmed users are then coerced into contacting fake support hotlines, where attackers guide them through enabling Quick Assist sessions. A notable subtopic in these attacks is the abuse of Microsoft’s Quick Assist tool to establish covert remote access. Once installed, these extensions embed themselves within user profiles, enabling threat actors to steal credentials, session cookies, and sensitive data. This grants attackers an operational advantage, as security teams often prioritize monitoring less common remote access software. The malware campaign employs malicious browser extensions, often distributed through compromised Chrome Web Store listings or malvertising redirects. Crucially, the extensions survive system reimaging, as victims frequently reintroduce infected browser profiles during device recovery. Ontinue analysts identified that attackers pair these extensions with social engineering tactics to execute malicious PowerShell commands. As attackers evolve their abuse of legitimate tools, continuous monitoring and user education remain vital to countering these threats. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Ontinue researchers noted that adversaries combine this tactic with “spam bomb” campaigns, where victims receive hundreds of phishing emails to obscure legitimate communications. Post-compromise, adversaries frequently install browser extensions to maintain access or exfiltrate data. Unlike third-party tools, Quick Assist bypasses endpoint detection rules due to its Microsoft-signed origin. In one prevalent malvertising scheme, users are redirected to fake verification pages instructing them to press Windows + R and paste obfuscated PowerShell code. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The misuse of Quick Assist highlights a broader trend of weaponizing trusted applications.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Mar 2025 15:30:09 +0000