Quick Assist Exploits: What MSPs Must Know to Avoid Becoming the Next Ransomware Headline
Quick Assist Exploits: What MSPs Must Know to Avoid Becoming the Next Ransomware Headline
Remote assistance is one of the most useful—and now riskiest—features built into Windows.
Microsoft’s Quick Assist app, designed to help IT teams troubleshoot remotely, is being hijacked by cybercriminals. Through carefully orchestrated social engineering attacks, attackers are tricking users into handing over access—opening the door to credential theft, malware installation, and ransomware deployment.
It is crucial to act quickly and decisively to mitigate these risks, such as uninstalling the tool, implementing network control strategies, and closely monitoring its usage to prevent unauthorized access.
If you’re an MSP managing multiple environments, this isn’t a minor threat. It’s a massive risk multiplier.
Introduction to Remote Assistance
Remote assistance is a feature that allows a support person to view or control a remote Windows computer over a network or the Internet to resolve issues without directly touching the unit. This feature is based on the Remote Desktop Protocol (RDP) and provides remote control and screen sharing capabilities.
Quick Assist is a Microsoft Windows feature that offers remote assistance, and it is installed by default on most Windows 10 and Windows 11 machines. To use Quick Assist, at least one computer must be logged in to a Microsoft account, and a code is generated to grant permission to connect to a device.
What Is Quick Assist Remote Assistance—and Why It’s Being Exploited
Quick Assist is a built-in Windows tool that allows remote screen sharing and control. Users can access it from the Start menu or download it from the Microsoft Store. Once launched, it requires a security code and user consent to start a session.
Why attackers love it:
Pre-installed on most Windows machines
Associated with trusted IT support
Requires user permission, bypassing some traditional security tools
Quick Assist is being used in tech support scams where attackers:
Impersonate Microsoft or internal IT staff
Guide users to launch Quick Assist
Secure access using fake urgency
Disable antivirus and deploy malware
Getting Started with Quick Assist
To get started with Quick Assist, users can search for “Quick Assist” in the Start menu and select the Quick Assist application. The user can then enter the code provided by the technician in the “Get help” section and click “Submit” to establish the connection. If the connection is successful, the user will be asked to allow screen sharing, and they can click “Allow” to enable it.
The user can use the icons in the Quick Assist bar to chat with the technician, pause Quick Assist, or leave the session. The technician can use the laser pointer and annotation tool to interact with the user’s screen and can select “Request control” to remotely control the user’s PC.
How Quick Assist Attacks Work
Here's the typical attack flow:
Impersonation – The attacker claims to be from Microsoft Support or your IT team.
Urgency – The user is told their device is infected or at risk.
Engagement – The attacker walks the user through opening Quick Assist.
Access – Once granted, they disable defenses or install malicious software.
Payload – Ransomware, spyware, or backdoors are deployed, often silently.
These attacks bypass normal technical safeguards because they leverage human behavior.
Understanding How Quick Assist Works
Found at C:\Windows\System32\quickassist.exe (Windows 10) or in Program Files\WindowsApps on Windows 11
Users must log into a Microsoft account
Helpers share a code valid for 10 minutes
Once accepted, they can chat, annotate, or request full control
Activity is logged in Event Viewer under source: “Quick Assist”
The process tree relationship during a Quick Assist session helps in identifying actions taken and ensuring security by tracking the parent-child relationship of processes within the Windows operating system
Why MSPs Should Be Alarmed
Even if your stack doesn’t include Quick Assist, your clients may be using it unknowingly.
Risks include:
Exposure to ransomware attacks
Breaches of sensitive client data
Reputational damage and churn
SLA violations and operational disruption
The easiest way to address potential threats posed by Quick Assist is to uninstall or delete the tool.
Quick Assist isn’t the only threat—but it’s a visible example of the broader challenge MSPs face: user trust gaps, remote access risks, and unmanaged tools.
CyVent’s Mitigation Plan for MSPs
At CyVent, we help MSPs strengthen security without creating friction. Here’s how to get started:
Audit Remote Access Tools: Ensure that your remote access tools are configured correctly. Note that during remote assistance sessions, multiple connection attempts will be blocked until the first helper disconnects. This helps manage concurrent connections and prevents unauthorized access.
1. Audit Remote Access Tools
Identify all remote access apps in use
Disable Quick Assist if unused
Apply Group Policy to restrict access
Emphasize the importance of logging capabilities to monitor and investigate unauthorized access. Limited logging makes it difficult for security teams to track and respond to malicious activities, highlighting the need for additional monitoring tools to enhance security.
2. Train Clients and End Users
Run social engineering simulations
Standardize IT contact protocols
Share simple checklists for safe remote access
3. Implement AI-Powered Endpoint Protection
Use behavior-based EDRs that detect suspicious access patterns
Consider solutions like SentinelOne, Palo Alto Cortex XDR, or Haven via CyVent
Utilize remote help tools that integrate with Azure Active Directory for secure support, allowing for cloud-based connections between helpers and users without needing extensive firewall adjustments
4. Apply Zero Trust Principles
Require MFA for any remote access
Monitor all Quick Assist session logs
Set clear rules for user access permissions
Technicians play a crucial role in monitoring Quick Assist session logs and setting clear rules for user access permissions. They utilize features like screen sharing and remote control to provide effective remote assistance.
5. Partner with a Curated Cybersecurity Advisor
Let CyVent help select and implement the right tech
Avoid overloading your team with redundant tools
Scale securely with a trusted, expert-led strategy
Find Quick Assist on Windows systems: Quick Assist can be found in the Start menu under Windows Accessories in both Windows 10 and Windows 11. The installation paths typically include C:\Windows\System32\quickassist.exe. Note that Quick Assist uses the Edge WebView2 browser control to render HTML pages during a session, which can make it challenging to trace the origin of processes executed.
Access Controls and Authentication
Access controls and authentication are crucial components of Quick Assist. When a user initiates a Quick Assist session, they are prompted to enter a security code, which is valid for 10 minutes. The support person must then enter this code to establish a connection. To control the device remotely, the support person must press the “Request access” button, and once access is granted, they can control the device.
Quick Assist also provides features such as full control, which allows the support person to take control of the user’s PC, and the laser pointer, which allows them to point to specific areas on the screen. Additionally, Quick Assist requires a Microsoft account to use, which provides an extra layer of security and authentication.
Users can also use the Microsoft Edge browser to access Quick Assist, and the app is available in the Microsoft Store. By using Quick Assist, users can resolve issues quickly and efficiently, and support persons can provide remote assistance with ease.
Monitoring and Managing Quick Assist
Use Event Logs for session tracking
Consider third-party network monitoring tools
Configure access controls to limit helper permissions
Use GPO or endpoint management to block Quick Assist if not required
Security-conscious MSPs should also monitor WebView2 installation delays and Quick Assist’s dependency on user interaction. These are attack windows.
When a remote connection is established using Quick Assist, the technician and user are actively connected, allowing the technician to assist the user by sharing screens and utilizing various tools.
Why CyVent?
CyVent isn’t selling another one-size-fits-all product. We are:
A cybersecurity advisory service
A tool curator and systems integrator
A growth enabler for MSPs who want to enhance security without complexity
We understand the unique pressures you face:
Growing attack surfaces
Limited talent and time
High customer expectations
A need for results without noise
Let us help you turn cybersecurity from a cost center into a competitive edge.
Don’t Let Convenience Turn Into Crisis
Quick Assist is just one example of how trusted tools can become attack vectors. As MSPs, you need visibility, control, and smart guidance. Users may experience a longer wait time during the installation process for WebView2 and during the connection process in Quick Assist.
Let CyVent help you assess and harden your remote access strategy — and equip you with the tools and training to protect what matters most.
Schedule a free confidential consultation to explore how CyVent can help secure your stack and scale your services.
Enjoyed this article? ♻️ Repost it to your network and follow @CyVent for more cybersecurity insights tailored for MSPs and SMBs.
Stay ahead of threats — subscribe to our newsletter: https://www.cyvent.com
