Phone-Plus-Teams to Token Persistence: Storm-1811's External-Chat Phishing Chain

Kill Chain at a Glance

Microsoft's May 2024 advisory on Storm-1811 described a chain that begins outside email entirely and ends in a Black Basta payload:

1. Email flooding. The target's inbox is filled with thousands of legitimate-but-unwanted newsletter and confirmation emails over a short window. 2. Vishing. A phone call arrives shortly after, with the caller posing as the target's IT help desk offering to "fix" the email storm. 3. Microsoft Teams external chat. The caller sends a Teams chat invitation from an external tenant configured to look like a help-desk persona. 4. Quick Assist remote control. The caller walks the target through accepting a Quick Assist remote-control session. 5. Credential and token harvesting. Once in control, the operator collects credentials, browser session cookies, and any reachable identity-provider sessions. 6. Black Basta deployment. Per Microsoft's reporting and corroborating Sophos and Rapid7 writeups, the chain has consistently terminated in Black Basta ransomware deployment.

Step-by-Step Walkthrough

**Email flooding** is the social pretext. The target wakes up to an inbox full of legitimate confirmation emails — list signups, password resets, marketing newsletters — generated by submitting their address to thousands of public mailing lists. The emails themselves are real and pass DMARC, so a secure email gateway sees nothing wrong.

**The vishing call** arrives within minutes. The caller already knows the target's name, organization, and the fact that they are looking at an inbox storm. The caller's pretext is help-desk recovery: "I see we're getting reports about email issues; let me help you contain it." The caller does not need to convince the target that something is wrong — the inbox storm has done that.

**The Teams chat** is the delivery vector for the remote-control invitation. Microsoft Teams external chat, when enabled with default settings, allows any external Microsoft 365 tenant to message any user in the organization. Storm-1811 used this to deliver the next-step instructions from a tenant configured with a help-desk display name and avatar.

**Quick Assist** is built into Windows. When invited, it opens a remote-control session keyed to a six-digit code shared by the caller. From the target's point of view, they have called IT and IT is helping them. The session grants the operator full interactive control of the desktop.

**Credential and token harvesting** uses the live session. The operator opens the browser, exports cookies, dumps credentials cached in browser-managed password stores, and takes anything else within reach. Where Outlook or Teams are signed in, the operator pivots to those identities directly.

**Black Basta deployment** has been the documented terminal step in the chain across Microsoft, Sophos, and Rapid7 writeups. The deployment occurs from the same Quick Assist session.

Telemetry Per Step

The email flood is visible at the gateway and mail-transport layer as an unusual rate of inbound messages to a single user from heterogeneous senders. Most secure email gateways do not alert on this pattern by default.

The vishing call leaves no IT telemetry. It exists only in the target's recollection.

Teams external chat invitations are visible in Entra audit logs as new-chat operations from external tenants. Microsoft's recommended hardening — restricting external chat to allow-listed domains — directly removes this signal source by removing the capability.

Quick Assist sessions launch quickassist.exe and establish outbound TLS connections to Microsoft endpoints. EDR products with Defender for Endpoint integration log the process; the value of the signal depends on whether Quick Assist is normally used in the environment. In environments where it is not, the launch is high-fidelity.

What Made the Path Succeed

The chain succeeded because every step used a legitimate tool. The emails were real. The phone call exploited a relationship the user has with an IT function. Teams external chat was a sanctioned feature. Quick Assist was a Microsoft-shipped product. No single step looked malicious in isolation. The defender heuristic of "did the user click on a phishing link" did not apply because the user never clicked a phishing link.

Choke Points

Microsoft's advisory and follow-on Rapid7 reporting converge on three controls that broke the chain in real incidents:

- Restrict Microsoft Teams external chat to allow-listed domains, or disable it entirely. This removes step three from the chain. - Remove or restrict Quick Assist on managed endpoints, either by uninstalling it or by configuring policy to block unsolicited remote-control sessions. This removes step four. - Help-desk identity-verification standards that require call-back verification on a known internal number remove the vishing pretext.

Any one of the three is sufficient to break the chain. All three together reduce the social-engineering attack surface broadly, not just for this campaign.

Detection and Response Notes

When the chain has already begun, response priorities are: end the Quick Assist session; revoke any identity-provider sessions and refresh tokens for the affected user; audit Entra and Teams for any new external grants or chat invitations created in the prior twenty-four hours; and isolate the endpoint pending forensic review. Microsoft's advisory provides detailed indicators where they were available at publication time; defenders should pair those indicators with the tenant-level Teams external chat audit data, which is the highest-fidelity preceding signal in environments where the feature is enabled.