Share via

Securing Quick Assist

Waddsy 1 Reputation point
2021-11-18T08:58:57.41+00:00

I'm concerned about the risk of social engineering attacks on our users with Quick Assist.

Scenario: An attacker calls someone they know works for their target company, says they are from the help desk and asks them to input the access code. It's very simple and a surprising number of users will fall for it.

Question: Is there some way to ensure that only genuine help desk personnel can connect via Quick Assist? For example, locking incoming support calls to a known public IP, or by mutually authenticating the users?

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-28T14:45:04.6333333+00:00

    I disagree with this argument against taking action regarding "Quick Assist": - "In case of social engineering attack, they could just ask user to install alternative remote assistance tools."Not if the user doesn't have Administrator privileges on the endpoint to be able to download and install other remote assistance tools. And even if the attacker directed the user to a malicious site to download a remote assistance tool, that is additional activity that can be detected and shutdown by firewalls and endpoint protection. It also will often make the user more suspicious in many cases.

    There is still a risk that an attacker might be able to trick the user to download something from a fake site and get past your firewalls and endpoint protection and might work. But, it makes it much more difficult than simply calling someone up and tricking them to think you are "Microsoft Support" and instruct them on launching and using "Quick Assist" which the user might not even realize does.

    Your general (non-Admin) personnel shouldn't have Administrator privileges. And they should seek desktop support from your company IT Support Desk, not from the vendors directly. I would recommend disabling, removing, or blocking it and using a different one that requires Administrator access (on the connector side) to use it. Administrators may still need it on their endpoints in order to get support from Microsoft in some cases. So, you might leave it on theirs if they get support from Microsoft through it.

    A smaller risk elsewhere does not justify ignoring the larger risk right in front of you.

  2. Jack Senesap 0 Reputation points
    2023-12-26T21:30:01.9233333+00:00

    Block remoteassistanceprodacs.communication.azure.com if you can.

    0 comments
  3. Reza-Ameri 45,776 Reputation points Volunteer Moderator
    2021-11-18T15:42:42.707+00:00

    In case of social engineering attack, they could just ask user to install alternative remote assistance tools. You may disable the Quick Assist using AppLocker in case there is a concern. However, in case of legitimate access and only authenticate with trusted party, you should train them that let say only communicate with the support using trusted communication portal, for example they only share request using internal Microsoft Teams' channel and if there was any request from phone or email , then consider it as a scam.
    You may consider using other remote administration tools for example Remote Control in Configuration Manager would only initiate with administration. Take a look at:
    https://learn.microsoft.com/en-us/mem/intune/remote-actions/remote-assist-mobile-devices

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.