Cover Image for Patching The Human Firewall Volume 2
Blog

Patching The Human Firewall Volume 2

05.22.25 | By Ascent

Why Patching the Human Firewall Still Matters in 2025 

In “Patching the Human Firewall (Volume 1)” we introduced the Combat Hunter Mindset—a disciplined approach that trains employees to spot danger early and react fast in the digital battlefield. The lesson was clear: well‑trained, threat‑aware, and vigilant users often make the difference between a near miss and a full‑blown breach.  Like software firewalls, people also need regular “patches.” In practice, a patch is new knowledge: understanding the latest attack techniques and knowing how to recognize them on sight. Every update sharpens vigilance and shortens an attacker’s window of opportunity.  In this second volume we focus on two social‑engineering threats that still slip past the strongest technical controls: 
  1. Business Email Compromise (BEC) / Vendor Email Compromise (VEC) 
  2. Microsoft Teams Phishing and Vishing 
We’ll explain how each attack works, the red flags users should watch for, and the quick countermeasures security teams can roll out today. The objective: help every organization patch its Human Firewall—turning people from soft targets into a proactive, first line of defense. 

Threat #1: Business Email Compromise (BEC) and Vendor Email Compromise (VEC) 

It often takes a painful, high-impact event to fully appreciate just how damaging a Business Email Compromise (BEC) or Vendor Email Compromise (VEC) attack can be. Earlier this year, a U.S.-based minerals company experienced this firsthand. On Valentine’s Day, cybercriminals successfully infiltrated their systems and diverted a $500,000 vendor payment—a transaction the company only caught after the fact.  From a threat intelligence standpoint, this was a textbook BEC/VEC attack. It didn’t involve advanced malware or complex exploits—just careful reconnaissance, credible impersonation, and a lapse in verification. The attack was effective, fast, and alarmingly easy to execute.  That’s the true danger of BEC/VEC: They bypass technology by targeting people and processes. Even organizations with world-class email security can fall victim if procedural safeguards aren’t in place. These attacks exploit trust, familiarity, and routine—areas where technical defenses alone aren’t enough. 

The Real Solution Isn’t Technical—It’s Procedural 

While the instinct might be to layer on more email filters or advanced threat detection, those measures alone won’t solve the problem. Preventing BEC/VEC requires simple, consistent operational discipline backed by user awareness and training. Ask yourself: 
  1. Do we have clear verification procedures in place for vendor account or payment detail changes? 
  2. Do our teams call the vendor to confirm changes before updating payment instructions? 
  3. Are employees trained to spot lookalike domains and typo-squatted URLs?
  4. Do they know how to identify legitimate business email addresses versus spoofed ones from services like Gmail or Yahoo? 
These aren’t complex solutions—but they’re critical ones. Make no mistake, BEC/VEC attacks are simple, dangerous, pervasive, and effective. Fortunately, these simple procedural checks, backed by regular awareness training and vigilance could be the difference in recognizing a BEC/VEC attack or sending a threat actor $500k.

Threat #2: Microsoft Teams Phishing and Vishing Attacks    

As organizations continue to rely on collaboration platforms like Microsoft Teams, threat actors are shifting their tactics accordingly. Recent intelligence from Trustwave’s Black Basta Leak Logs reveals a significant uptick in the abuse of Microsoft Teams—particularly by the threat group known as Storm‑1811 (also known as Curly Spider, G1046 or STAC5777). These attacks aren’t theoretical—they’re active, scalable, and increasingly effective. 

Mapping and Verification of Targets 

Storm-1811 begins by using publicly available tools like TeamsEnum to scan for and identify Microsoft Teams users. The goal: verify which email addresses are tied to active Microsoft 365 tenants. This process allows attackers to: 
  • Validate stolen credentials against real, active Teams accounts
  • Build tailored target lists for phishing campaigns 
  • Increase their chances of a successful takeover by matching known email/password pairs with legitimate corporate environments 
This is not spray-and-pray phishing—it’s precise, targeted reconnaissance. 

Establishing Initial Access 

Next, the threat actors acquire access by creating fresh Microsoft 365 tenants or buying compromised accounts from Initial Access Brokers on Dark‑Web “access‑as‑a‑service” markets. With a pool of valid identities in hand, they move to the phishing phase. 

Launching the Phish 

Storm-1811 will then leverage publicly available tools like TeamsPhisher—an open‑source script that sends messages (and file attachments) to external tenants while sidestepping standard security controls. The tool exploits a default Teams feature that allows external messaging with attachments, making it easy to deliver malicious payloads directly into a user’s chat window. This tactic allows attackers to: 
  • Bypass traditional email security controls 
  • Land malware or payloads directly into a chat window 
  • Impersonate internal IT or support personnel using deceptive display names like “Help Desk” or “Support Team” 
With minimal effort, they’re able to place malicious content in a space users typically trust—without triggering the same level of scrutiny as email. 

Why It Works—and Why It’s Dangerous 

This attack chain requires only one valid Microsoft Teams account, basic reconnaissance, and freely available tools. Here’s how it works. 
  1. Email Bombing (Spam Bomb) – Attackers flood the victim’s inbox with dozens of newsletters and junk emails. This will undoubtedly get the targeted user’s attention.  
  2. Initial Contact (Impersonated Support) – Shortly after, the user gets a phone call or Microsoft Teams chat from an external account labeled “Help Desk,” “Support Team,” or even the name of an internal colleague.  
  3. Social Engineering (Fake Tech‑Support) – During the call or chat, the attacker claims a technical issue needs urgent attention and instructs the user to Open Microsoft Quick Assist and enter a remote‑access code or Install Remote Monitoring & Management (RMM) software such as AnyDesk, ScreenConnect, or Zoho Assist. 
  4. Remote Access Established – Once connected, the attacker runs scripts that link the machine to their command‑and‑control (C2) server and quietly downloads malware camouflaged as legitimate software. 
  5. Persistence and Lateral Movement – With a backdoor in place, the intruder harvests credentials, explores the network, and deploys post‑exploitation tools like Cobalt Strike.  
  6. Payload Delivery (Ransomware) – Finally, the attacker launches Black Basta or Cactus ransomware, encrypting systems and demanding payment. 
Bottom line: An email bomb, a convincing “support” call, and a single remote‑access session can let attackers pivot from one endpoint to a full‑scale ransomware incident in minutes.  Storm-1811 has streamlined this process, making it easy to consistently bypass email filters and engage users through a less-monitored attack surface. The success of these campaigns highlights a critical blind spot in many organizations’ defenses: chat platforms are now attack vectors—not just productivity tools. 

Strengthening the Human Firewall: User Guidelines and Proactive Defense 

In high-velocity attacks like those executed by Storm-1811, breakout time matters. Once an attacker makes live contact, they can pivot deeper into the network in as little as four minutes, according to the 2025 CrowdStrike Global Threat Report. That means your users—your Human Firewall—must be trained and prepared to respond instantly. 
  • No third‑party phone support. If someone calls claiming to be IT, hang up and call your internal help desk. 
  • Ignore unsolicited Teams “support” chats. External offers of technical help are a red flag. 
  • Never grant Quick Assist or RMM access to anyone outside the organization’s security team. 
  • Report suspicious contact immediately. Storm‑1811 and similar crews rarely target just one person; early reporting protects everyone. 
These aren’t just best practices—they’re essential defenses. Reinforce them consistently through security awareness training and real-world simulations. 

Proactive Defenses: How to Shrink the Attack Window 

These preventive controls don’t just slow attackers down—they break their playbook. By removing their shortcuts and limiting their ability to escalate, you give your SOC and security team and tools time to detect, respond, and contain the threat. 
  1. Disable Microsoft Quick Assist (If Not Business-Critical): If your organization doesn’t rely on Quick Assist, turn it off tenant‑wide. Removing this built‑in remote‑access tool forces attackers to jump through extra hoops, buying your security team valuable time.  
  2. Harden the Microsoft Security Stack: To get the most from Microsoft’s security stack, start by enabling Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint (MDE) to block process creation by commonly abused tools. Add custom MDE rules that explicitly deny execution of unused remote‑monitoring binaries such as splashtop.exe or anydesk.exe.  
  3. Leverage Intune and Defender for Cloud Apps: Utilize Intune to restrict software installation to pre‑approved applications, and use Defender for Cloud Apps to block access to websites that host unauthorized remote‑management software. Together, these controls shut down the most popular RMM pathways attackers rely on. 
  4. Lock Down Microsoft Teams: Lock down Microsoft Teams by limiting external chats and file sharing to trusted domains, applying Microsoft’s recommended security settings for meetings, guests, and external access, and routinely reviewing Teams policies so new features don’t reopen old vulnerabilities. For detailed guidance, consult Microsoft’s best‑practice documentation on securing external meetings and chats.

Final Thoughts: The Importance of a Patched Human Firewall  

There is an old (but true) saying in cyber security. “As defenders, we must be correct 100% of the time, whereas threat actors only need to be correct once.” While our security tools are generally effective in protecting the environment, there have been instances where threats have bypassed our defenses. Several of these incidents could likely have been prevented by an intelligence informed (patched) Human Firewall.     Building a resilient organization requires reactive and proactive cybersecurity measures. Ascent’s Cyber Threat Intelligence as a Service provides customers with actionable, time-sensitive reporting on the threats most relevant to your business. Reach out to info@meetascent.com to meet with one of our experts today.  
Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
content
Blog
How CTEM Drives Tangible Business Outcomes with Microsoft Security
content
Blog
How to Leverage Microsoft Security for Continuous Threat Exposure Management
content
Blog
Patching The Human Firewall Volume 3
Ascent logo
Contact
Global Headquarters
323 Washington Ave N
Suite 410
Minneapolis, MN 55401
Follow
612.439.9608info@meetascent.com
Services
CybersecurityAdvisoryManaged Security
Solutions
Continuous Threat Exposure ManagementZero Trust
MicrosoftResourcesIndustries
CompanyCulture & CareersMicrosoft PartnershipLeadershipPrivacy Policy