Security pulse: Teams scams, PLC threats, IC3 losses

Recent security advisories point to three linked problems: helpdesk impersonation on collaboration tools, exposed industrial controllers, and record fraud losses. The thread that connects them is not a single exploit, it is how attackers hijack trust that already exists.

This article unpacks the mechanics, shows where controls break, and offers practical moves that reduce risk without stalling the business.

Helpdesk impersonation in collaboration platforms is a trust hijack problem

How the scam works

Attackers invite employees to external chats in a corporate collaboration app, present as support staff, then request a quick screen share or remote control to fix a fake issue. The ploy succeeds because external federation blurs identity cues, default settings permit contact from outside tenants, and authority appears to transfer to the person claiming to be support. Once remote control is granted, the attacker installs a remote management tool or captures a token to bypass multifactor prompts later.

Consider a scenario: an employee receives a chat labeled as IT support, is asked to accept a remote session to resolve a stalled update, and sees the corporate logo in the attacker’s profile picture. The employee grants control for two minutes, long enough for the attacker to register a device with conditional access and return later without raising prompts. A mail security tool does nothing here, because the entry point is chat, not email.

Controls that change the math

• Restrict external collaboration to allow-lists for high risk roles, and tag verified internal helpdesk accounts with a visible badge in chat. This works when external partners are known and stable, and fails if collaboration is highly ad hoc.
• Disable remote control for external sessions, and route support through an internal portal that asserts device and user posture before any assistive access. This reduces social engineering windows but can slow real support if the portal is unavailable.
• Require step-up verification for any session that requests screen sharing or elevation, for example a hardware key challenge. This blocks quick takeovers, yet will not help if the user shares a session after completing the challenge.
• Log and alert on newly installed remote-access tools from collaboration sessions. Detection helps after an error, but prevention still matters most.

Anti-pattern: Ticket by chat

Avoid resolving identity proofing inside the same chat where the request began, because the attacker controls the channel and can pass any challenge that depends on chat. Require a case number issued from an authenticated helpdesk portal before support begins, then match that case number in the chat. This adds a second trust anchor outside the attacker’s control.

Industrial controllers are being found, not just targeted

Why PLCs are exposed

Warnings about attacks on programmable logic controllers have focused on one vendor, but the root issue is broader: controllers reachable from the internet due to misconfigured remote access, default credentials, and flat networks that bridge office and plant. Search engines index services left open by integrators, remote support portals punch through firewalls, and some legacy devices lack modern authentication. The result is a pathway for external discovery and command, even if the plant believes it is offline.

Representative scenario: a small utility enables port forwarding on a router so an engineer can service a controller from home. Months later, an attacker finds the open service, queries basic device info, and downloads the ladder logic without authentication. A plant historian sees strange setpoint changes, but the alert fires only after a threshold is passed, giving the adversary time to map the process.

Mitigations that remove the path

• Eliminate direct internet reachability to operational technology, and terminate remote access on a dedicated jump host in a demilitarized zone. This works when maintenance can be scheduled, and fails if third parties insist on permanent inbound reach.
• Segment office and plant networks with policy firewalls that understand industrial protocols, and enforce read-only mode for routine monitoring. This reduces blast radius, though it requires tuning to avoid blocking legitimate commands.
• Replace blanket virtual private network access with per-session brokered access that requires multifactor authentication and time bound approvals. Friction increases slightly, but access becomes auditable.
• Inventory exposed services regularly, using both internal scans and an external perspective. Close anything not required for the next maintenance window.

Anti-pattern: Flat OT remote access

Avoid site-to-site tunnels that drop a vendor laptop into the same subnet as controllers, because any compromise of that laptop becomes process control. Use an access broker that proxies commands, logs actions, and enforces least privilege per device.

Fraud losses concentrate where finance trusts vendors by email

What the loss data really says

Public complaint data shows reported cybercrime losses in the low tens of billions at the time of writing, with business email compromise repeatedly topping loss categories. The mechanism is simple: an attacker inserts into a known payment conversation, then nudges a small process change such as a new bank account. Finance teams comply because the request rides an existing vendor relationship, the invoice looks familiar, and the deadline feels real.

Scenario: a supplier’s mailbox is breached. The adversary watches for an upcoming invoice, registers a look-alike domain, and sends a one line update to change banking details. Accounts payable updates the remit-to and sends the wire. A callback control exists, but it calls a phone number from the email thread, which the attacker also controls.

Controls that stop money movement

• Hold any change to payee or bank details for at least one business cycle, and verify through a phone number from a contract system, not the email. This delays cash movement slightly, but blocks the fast-con.
• Whitelist known bank accounts for repeat vendors, and require two-person approval to add a new one. Works best for predictable vendors, and fails if supplier banking changes frequently.
• Train approvers to flag urgency plus change-of-instructions as a stop signal. Education does not replace process, it primes it.

Anti-pattern: Payee-change by email

Avoid accepting banking updates that arrive in email threads, because the thread can be hijacked. Require the vendor to submit changes in a portal that enforces login, then call a stored phone number to confirm.

A unifying lens and how to measure progress

The trust transfer attack lens

Across these cases, the attacker does not break crypto, the attacker moves along trust already granted. Helpdesk impersonation transfers trust from IT to a stranger in chat. Exposed controllers transfer trust from plant engineers to any host that can reach the device. Vendor fraud transfers trust from known suppliers to a look-alike actor. Call this pattern a trust transfer attack. A falsifiable claim: organizations that inventory and gate trust transfer events in collaboration, operations, and finance will reduce high impact incidents within two quarters of disciplined execution. This works when trust events are few and nameable, and fails if core workflows depend on uncontrolled, rapidly changing external contacts.

Quick playbook and metrics

• Collaboration: badge real support accounts, disable external remote control, and require case numbers from an authenticated portal. Metric, at the time of writing track the percentage of external chats that request elevation and are blocked.
• Operations: remove public exposure, broker remote sessions, and enforce read-only monitoring by default. Metric, count publicly reachable services on operational subnets each month and drive to zero only when remote maintenance needs are solved.
• Finance: hold payee changes, verify out of band, and require dual approval for new banking. Metric, measure the proportion of bank detail changes verified through a contract phone number.

Trade off with eyes open. Tight external allow-lists in chat help when partner sets are stable, but can stall teams that engage many short term collaborators. In that case, prefer in app identity badges and elevation challenges. If a control creates workarounds such as shadow remote tools or side channel messaging, expect risk to move, not drop.