The attacker impersonated an IT team member from a previously compromised organization (Org A) and used Microsoft Teams to send spearphishing messages to four employees at the targeted organization (Org C). The messages requested access to the employees’ devices via the Quick Assist remote utility tool.