For years, security leaders have focused on hardening email gateways and training users to spot suspicious links. But what happens when the attack doesn't come from an external email, but from a trusted internal tool? Attackers are now weaponizing Microsoft Teams, turning your primary collaboration platform into a highly effective phishing vector. These aren't just malicious links in a chat; they are sophisticated social engineering campaigns involving impersonation, voice phishing (vishing), and the abuse of legitimate remote access tools. This evolution of microsoft teams phishing attacks requires a new defensive mindset. Here, we’ll explore the specific tactics being used and outline the critical steps to secure your environment.
Introduction:
Businesses face increasingly sophisticated cyber threats that challenge traditional security measures. Recent research by cybersecurity firm Sophos has highlighted a worrying trend: ransomware groups are leveraging Microsoft 365 and Teams, along with email bombing tactics, to execute highly effective impersonation attacks. This blog delves into these new cyber threats, their implications, and how businesses can protect themselves from ransomware and impersonation attacks.
The Emerging Cyber Threat: Impersonation and Email Bombing
Between November and December 2024, Sophos tracked multiple clusters of hacking activity targeting Microsoft 365 instances. These cyber attacks begin with an overwhelming barrage of emails—sometimes up to 3,000 in just 45 minutes—designed to create chaos in the target's inbox. This tactic not only overwhelms the recipient but also creates a false sense of urgency, often prompting individuals to seek IT assistance.
Once the target reaches out, hackers exploit this opportunity by posing as IT support personnel through Microsoft Teams. Under the guise of legitimate assistance, they persuade victims to permit remote access via Teams or Microsoft Quick Assist. This access is then used to establish command shells, access external SharePoint files, and deploy malware on the victim's device.
The Consequences of Unauthorized Access
With a command and control channel established, attackers can disable multifactor authentication and antivirus protections. This allows them to move laterally across the network, compromising additional systems and potentially causing widespread damage. Sophos' research indicates that these tactics have been used against multiple individuals and at least 15 organizations, many of which were fortunately blocked before any significant compromise occurred.
Targeting Smaller Organizations
While posing as tech support is a known social engineering tactic, the focus on Microsoft 365 and Teams highlights a shift in targeting. Smaller organizations, which have rapidly moved to cloud-based solutions like Office 365 and Teams during the COVID-19 pandemic, are particularly vulnerable. These businesses, often unfamiliar with the intricacies of new software, present lucrative targets for cybercriminals.
Sohpos has highlighted that Office 365 infrastructure, closely tied to internal data systems, is now a prime target. The integration of new technologies without customized configurations and employee awareness creates exploitable weaknesses.
The Role of External Teams Accounts
One of the critical vulnerabilities lies in the default settings of Microsoft Teams, which may allow external actors to message employees while posing as tech support. This is compounded by the fact that many organizations routinely engage with legitimate external tech support through third-party managed security providers (MSPs), making such contact appear normal.
Furthermore, standard anti-phishing training often focuses on password hygiene and identifying fake emails, rather than detecting fake tech support staff. This gap in training leaves employees unprepared for these sophisticated social engineering attacks.
How Attackers Exploit Teams for Phishing
Attackers are resourceful, and they’ve found clever ways to turn Microsoft Teams from a collaboration tool into a delivery system for their attacks. They exploit the platform's inherent trust and integration with other Microsoft services to bypass traditional security defenses. Understanding their methods is the first step toward building a stronger defense, as these tactics often blend legitimate functionality with malicious intent, making them difficult for both users and automated systems to spot.
Voice Phishing (Vishing) Without Warning Pop-ups
One of the most alarming tactics is voice phishing, or "vishing," directly through Teams. Unlike text-based messages from external accounts, which often trigger a warning banner, incoming voice calls from external users currently have no such warning pop-ups. This creates a significant security gap. An attacker can call an employee directly, impersonating an IT support technician or a company executive, and the employee has no visual cue to indicate the caller is outside the organization. This method preys on a user's instinct to be helpful, especially when they believe they're speaking with a legitimate internal support team.
Delivering Malware via Weaponized SharePoint Links
Attackers are also using Teams to distribute malware, but not by attaching infected files directly. Instead, they send what appears to be a file but is actually a link to a document hosted on SharePoint. Because SharePoint is a trusted Microsoft service, these links often bypass initial security filters. The real danger is that the attacker can modify the linked SharePoint file after sending it, weaponizing it with malware *after* it has already been delivered to the user’s chat. This delayed-payload technique makes detection much harder for standard security tools that only scan content upon arrival.
Using Display Name Tricks to Evade Warnings
Even when Teams does display an "(External)" warning on messages, attackers have found ways to obscure it. They craft sender display names that include keywords like "IT," "Help Desk," or "Admin" to build immediate trust. To hide the external tag, they might use emojis or add excessive spaces in the display name, pushing the warning label out of the visible area in the chat interface. This simple visual trick is surprisingly effective at fooling users who are quickly scanning their messages, making them more likely to engage with a malicious actor they believe is part of their internal support staff.
Leveraging Legitimate Tools for Malicious Ends
The most sophisticated attacks often involve using legitimate tools for malicious purposes. In one documented campaign, attackers used Teams to initiate a fake support call and then convinced the employee to grant them remote access using Microsoft's own Quick Assist tool. As Microsoft’s security team noted, once they gained control, they could establish persistence and move laterally through the network. This highlights a critical challenge: you can't simply block these tools because they are essential for legitimate IT operations. Defending against this requires a more nuanced cybersecurity strategy focused on behavior and context, not just blacklisting applications.
Understanding the Speed and Setup of an Attack
These attacks are designed for speed. Threat actors often use stolen Teams accounts or quickly create new ones using generic domains. Once they establish a foothold through a successful phishing attempt, they move rapidly to escalate privileges and deploy their payload. The entire process, from initial contact to network compromise, can happen in a very short window. This speed underscores the importance of having a robust Managed Detection and Response (MDR) solution in place. Proactive monitoring and rapid incident response are essential to identifying and neutralizing these threats before they can cause significant damage.
Recommendations for Cybersecurity Protection
To combat these cyber threats, organizations must scrutinize their configurations and default settings, ensuring they are not inadvertently allowing external access. We recommend that employees familiarize themselves with their company's IT help desk processes, and those of their managed services providers, and be aware of legitimate IT support staff's names and emails.
Additionally, organizations should invest in comprehensive training programs that cover a broader range of phishing and social engineering tactics. By doing so, employees can be better equipped to recognize and respond to suspicious activity.
### Technical Defenses for Your IT Team While a vigilant workforce is essential, your IT team can implement robust technical safeguards to filter out many of these threats before they ever reach an employee. A strong defense-in-depth strategy combines proactive monitoring, strict access controls, and system hardening to create a resilient environment. These measures reduce the attack surface and give your security operations a better chance to detect and neutralize impersonation attempts. For organizations looking to augment their internal teams, partnering with a provider for managed IT services can provide the specialized expertise needed to configure and maintain these advanced defenses, ensuring your systems are always prepared for emerging threats. #### Monitor Key Microsoft 365 Audit Logs You can’t stop what you can’t see. Microsoft 365 audit logs are a goldmine of information for detecting suspicious activity, but you need to know what to look for. Specifically, pay close attention to the 'ChatCreated' and 'MessageSent' events. These logs reveal when a new chat is initiated or a message is sent, including the sender's identity and chat ID. By actively monitoring for 'ChatCreated' events originating from external domains you don’t recognize, your team can quickly spot potential impersonation attacks in their earliest stages. Setting up alerts for this specific activity provides an early warning system, allowing you to investigate and block malicious actors before they can engage with your employees. #### Restrict Unapproved Remote Access Tools Attackers frequently trick users into granting them remote control of their computers using legitimate tools like Microsoft Quick Assist, ScreenConnect, or TeamViewer. One of the simplest yet most effective ways to block this attack vector is to control which remote access applications are allowed in your environment. If your organization has a standardized tool for IT support, you should uninstall or disable any unapproved alternatives. This principle of least privilege—removing unnecessary software—significantly shrinks the attacker's toolkit. By enforcing a strict policy on remote access tools, you make it much harder for a social engineering attempt to succeed, even if an employee is momentarily fooled. #### Manage External Communication with an Allow-List By default, Microsoft Teams may allow anyone from outside your organization to start a conversation with your employees. You can lock this down by configuring your Teams admin settings to only permit communication from specific, approved external domains. This "allow-list" approach creates a digital walled garden, ensuring that your team can only collaborate with trusted partners, clients, and vendors. While it requires some initial setup and ongoing management, it is one of the most powerful controls for preventing unsolicited and malicious contact. A comprehensive cybersecurity strategy should always include granular control over communication channels. #### Identify and Block Suspicious Domains Proactive threat hunting can stop an attack before it starts. Train your IT team to look for chats originating from unusual external domains, especially those that are newly registered. Attackers often use "baby domains"—domains created just days or hours before an attack—to bypass reputation-based security filters. There are tools and services that can check a domain's registration date. When a message comes from an unknown and very new domain, it should be treated as a major red flag. Maintaining a dynamic blocklist of these suspicious domains helps protect your entire organization from known malicious sources. #### Harden Security with Conditional Access and Tamper Protection Strengthening your overall security posture provides a critical safety net. Implement Microsoft Entra ID (formerly Azure AD) Conditional Access policies to enforce strict rules for who can access your resources and from where. Requiring multi-factor authentication (MFA) for all users is non-negotiable and remains one of the most effective defenses against account compromise. Furthermore, enable tamper protection features within your endpoint security solution. This prevents attackers who gain initial access from disabling antivirus and other critical security controls, giving your Managed Detection and Response (MDR) team the time it needs to detect and neutralize the threat. ### Empowering Employees as Your First Line of Defense Technology is only one piece of the puzzle. Your employees are on the front lines every day, and with the right knowledge, they can become your most valuable security asset. A culture of security awareness transforms your team from potential targets into a human firewall capable of spotting and reporting threats that technology might miss. This requires more than an annual training session; it means providing clear, simple, and actionable guidance that empowers them to act confidently when they encounter something suspicious. #### How to Report Phishing Directly in Teams Microsoft has made it easy for users to report suspicious messages directly within the Teams application. If an employee receives a message that seems off, they shouldn't just ignore it—they should report it. To do this, they can simply hover over the suspicious message, click the three dots for 'More options,' go to 'More actions,' and select 'Report this message.' A prompt will ask them to classify the issue; they should choose 'Security risk - Spam, phishing, malicious content.' This action not only protects the individual but also alerts your security team, helping them protect the entire organization. #### Implement a Verbal Authentication Phrase for IT Social engineering preys on trust. To counter this, consider implementing a low-tech but highly effective solution: a secret "verbal authentication phrase." This is a unique word or phrase that only your legitimate IT helpdesk staff and your managed services provider would know. Train your employees to ask for this phrase anytime they receive an unsolicited call or message from someone claiming to be from IT. If the person on the other end can't provide it, the employee knows to immediately end the conversation and report the incident. This simple step makes it incredibly difficult for an impersonator to succeed. #### What to Do Immediately After a Phishing Incident If an employee suspects they've clicked a malicious link or given away information, panic is the enemy. They need a clear, simple action plan. First, they should not click the link again or open any attachments from the message. If they entered a password on a suspicious site, they must change it immediately on all accounts that use it, starting with their primary work account. The next critical step is to report the incident to the IT department right away. The sooner IT knows, the faster they can take action to contain any potential damage. #### Clarifying the Real Risk of Clicking a Link Many people believe that simply clicking a malicious link is enough to compromise their device, but that's not always the case. It's important to educate your team that the primary risk often comes from the actions taken *after* the click. The real danger lies in entering credentials on a fake login page, downloading and running a malicious file, or granting remote access to a scammer. Understanding this distinction can reduce panic and empower employees. If they accidentally click a link but close the browser before entering any information, they have likely avoided the worst of the threat—as long as they still report it.Conclusion
As cyber threats continue to evolve, businesses must remain vigilant and proactive in their cybersecurity measures. The recent tactics employed by ransomware groups underscore the importance of adapting to new challenges and securing cloud-based infrastructures. By staying informed, working with a managed security services provider, and implementing robust security protocols, organizations can protect themselves from these emerging cyber threats and safeguard their valuable assets.
BCS365 can help organizations with protection against cyber threats, and our engineers are available 24/7/365 for more information.
Frequently Asked Questions
We already have advanced email security. Why are these Teams phishing attacks still a threat? These attacks are effective precisely because they sidestep traditional email security. Instead of coming through an email gateway where they can be scanned and filtered, the threats originate directly within Microsoft Teams. Attackers exploit the trust your employees have in this internal collaboration platform, making it a perfect channel for social engineering that your email defenses will never see.
What makes Microsoft Teams so vulnerable to impersonation? The platform's default settings can often permit messages from external accounts, and attackers take full advantage of this. They can create accounts with display names like "IT Help Desk" to appear legitimate. A significant gap exists with voice calls; unlike text chats from external users, incoming calls on Teams often don't display a warning banner, making it easy for an attacker to convincingly impersonate a colleague or support technician over the phone.
Our employees are trained to spot phishing emails. How is this different? While the principles of skepticism are the same, the context is very different. Phishing training has conditioned users to be wary of unexpected emails and suspicious links. However, employees are not accustomed to questioning the identity of someone messaging them on Teams, especially if that person claims to be from IT support. This requires a new layer of training focused on verifying identity, for example, by using a pre-established verbal password before ever sharing your screen or granting remote access.
What is the single most effective technical control we can implement to stop these attacks? Restricting who can contact your employees from outside the organization is the most powerful step you can take. By default, Teams may be open to communication from any external domain. Your IT team can configure the Teams admin center to use an "allow-list," which means only users from specific, pre-approved partner or client domains can initiate a chat. This single change dramatically reduces your attack surface by blocking unsolicited contact from unknown sources.
If attackers are using legitimate tools like Microsoft Quick Assist, how can we defend against them? You can't simply block tools that your real IT team needs for support. The solution is a layered defense. First, you should standardize which remote access tools are permitted in your environment and block or uninstall all others. This limits the attacker's options. Second, this is where a Managed Detection and Response (MDR) service becomes critical. An MDR solution doesn't just look at the tool being used; it analyzes behavior. It can detect when a legitimate tool is used for malicious activity, such as accessing sensitive files or disabling security software, and then alert your team to stop the attack in progress.
Key Takeaways
- Treat Microsoft Teams as a high-risk channel: Attackers are actively using Teams for sophisticated phishing, leveraging voice calls and impersonating IT support to trick employees into granting remote access with legitimate tools.
- Implement specific technical controls for Teams: You can significantly reduce your attack surface by configuring Teams to only allow messages from approved external domains, blocking unapproved remote access software, and actively monitoring M365 audit logs for suspicious activity.
- Give your team simple, actionable security steps: A human firewall is your best defense, so train employees to use the built-in "Report this message" feature and establish a verbal authentication phrase that only your real IT support team would know.
