A threat actor using a combination of AI-powered vishing, the more conventional remote access tool Microsoft Quick Assist, and living-off-the-land techniques has demonstrated how a simple vishing attack can escalate into a full compromise.
In an April 1 blog post, researchers from Ontinue reported that the techniques observed in this recent campaign align with those previously attributed to Storm-1811, a threat actor identified by Microsoft known for leveraging vishing, MS Quick Assist, and social engineering via MS Teams to gain network access.
SC Media first reported on this group last May, in which it was reported the group abused Quick Assist to deploy the BlackBasta ransomware.
The Ontinue researchers said while they cannot confirm the Storm-1811 connection with high confidence, several tactics, techniques and procedures suggest “possible” tradecraft similarities to Storm-1811, including:
“This multi-stage attack still poses a risk to organizations,” said Rhys Downing, a threat researcher at Ontinue. “The techniques used, like signed binary, sideloading and living-off-the-land tools are stealthy and can bypass traditional defenses if not properly monitored. A successful attack could lead to data theft, persistent access, or deployment of ransomware. This multi-stage attack is particularly dangerous because it blends into legitimate activity, making detection harder.”
J. Stephen Kowski, Field CTO at SlashNext Email Security, explained that the Ontinue research once again demonstrates how threat actors are getting more creative with AI-powered voice cloning to trick users. Kowski said real-time scanning across all communication channels, not just email, is essential because these attacks often start with social engineering before deploying malicious tools, such as sideloaded DLLs.
“Advanced protection that combines computer vision, natural language processing, and behavioral analysis can identify these sophisticated attacks even when they use legitimate-looking tools or QR codes,” said Kowski. “Organizations need tools that can detect suspicious patterns in messages, voice communications, and links with extreme accuracy to stop these threats before users get tricked into granting remote access.”
T. Frank Downs, senior director of proactive services at BlueVoyant, pointed out that the recent attack allegedly connected to Storm-1811 underscores the reality that AI efficiencies and coordination can be as beneficial to online attackers as they are to businesses.
“The Storm-1811 attack involved leveraging legitimate remote support tools like Quick Assist and using social engineering to gain initial access,” said Downs. “AI can help detect unusual usage patterns of such tools, providing early alerts that could prevent unauthorized access. By implementing AI-driven monitoring, organizations can identify suspicious activities that deviate from normal operations and act swiftly to mitigate risks.”
