Forensic Analysis of: Quick Assist
Here is what I found
Quick Assist uses Microsoft’s infrastructure to broker communications between the user ‘Giving Assistance’ (our attacker) and the user ‘Getting Assistance’ (our victim). This means the attacker’s IP address is never exposed to the victim, nor is the attacker’s Microsoft account email address. The only clue at the attacker’s identify comes from the account name provided in final prompt given to our victim prior to granting access, which could easily be named to coincide with the attacker’s pretext.
Whilst the application uses Microsoft infrastructure, the domains used for communications can be used by defenders for firewall rules and alerts. During our experiment we observed DNS requests for the following domains which could be used as an indicator that a Quick Assist screen share had been established:
Research conducted in January 2022