Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes guidance to harden Teams against threat activity
Microsoft issued recommendations for organizations to better secure Teams environments, including stricter access controls and other defensive measures aimed at reducing abuse of the platform. The guidance accompanied Microsoft's public warning about Teams becoming a significant attack vector.
Threat actors expand Microsoft Teams abuse for persistence, espionage, and extortion
Microsoft disclosed broader abuse of Teams by multiple cybercriminal and state-backed actors for reconnaissance, persistence, data exfiltration, backdoor installation, ransom note delivery, and intimidation. Reported activity included use of administrative tools such as AADInternals and extortion tactics by groups including Octo Tempest.
Storm-1674 uses Microsoft Teams for social engineering and malware delivery
Microsoft reported that threat actor Storm-1674 abused Microsoft Teams chats to socially engineer targets and deliver malware, including DarkGate, using tooling such as TeamsPhisher. This marked a notable example of Teams being operationalized as an initial access and delivery channel in cyberattacks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft Teams exploitation in cyberattacks ramp up
scworld.com
Open sourceMicrosoft Warns: Threat Actors Turn Microsoft Teams into a Weapon for Ransomware, Espionage, and Social Engineering
securityonline.info
Open sourceDisrupting threats targeting Microsoft Teams
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Teams Phishing Campaigns Drive MFA Theft and RMM-Based Intrusions
Threat actors are increasingly abusing workplace collaboration platforms, especially **Microsoft Teams**, to impersonate IT staff, vendors, and support personnel in social-engineering attacks that bypass user trust controls. Palo Alto Networks Unit 42 reported that collaboration-tool phishing accounted for **42%** of all phishing alerts seen in Cortex during the first four months of 2026, up from **30%** in the prior four-month period, showing a broader shift away from traditional email lures. The attacks commonly pressure users to approve multifactor authentication prompts or otherwise grant access, and researchers said both criminal and nation-state actors are using the technique. Cyfirma separately identified an active Teams-themed campaign that uses fake meeting transcript and recording notifications to lure victims to counterfeit landing pages hosted on compromised websites and attacker-controlled cloud infrastructure, including Cloudflare Workers and Pages. Victims are served a signed Windows installer that silently deploys a legitimate remote monitoring and management tool connected to attacker relay servers, then establishes persistence through a Windows service and registry changes, including mechanisms that survive Safe Mode with Networking. The intrusion chain also includes anti-analysis checks and credential theft via a credential provider DLL and an LSA authentication package, indicating the campaign is designed to convert a trusted collaboration message into durable unauthorized access.
Jun 24, 2026
Attackers Impersonate IT Support in Microsoft Teams Phishing Campaigns
Threat actors are increasingly using **Microsoft Teams** chats to impersonate IT staff or trusted business contacts, persuading employees to approve MFA prompts, click malicious links, or hand over credentials. Palo Alto Networks Unit 42 said the tactic has appeared in multiple intrusions, including **Cloaked Ursa/APT29** activity that used compromised accounts to send malicious Teams messages and **UNC6692** operations that posed as helpdesk personnel to socially engineer targets through the platform. The report said phishing delivered through collaboration tools is rising quickly, with Cortex telemetry showing such activity accounted for **42% of all phishing alerts** in the first four months of 2026, up from **30%** in the prior four-month period. Attackers are exploiting permissive Teams federation settings, unmanaged external accounts, typosquatted domains, and compromised partner tenants to appear legitimate, prompting defenders to tighten external communication controls, restrict federation to approved domains, disable unmanaged external access where possible, strengthen identity protections such as Conditional Access and **Entra Privileged Identity Management**, and monitor for suspicious external chat initiation.
Jun 9, 2026
Ransomware Campaigns Use Email Bombing and Microsoft Teams Vishing for Initial Access
Sophos MDR reported two ransomware campaigns that combined **email bombing** with **voice phishing over Microsoft Teams** to gain initial access to targeted organizations. In the observed intrusions, attackers overwhelmed users with large volumes of emails and then contacted them through Teams while impersonating IT or help desk staff, using the confusion to persuade victims to grant remote access or follow attacker-directed steps. The activity highlights how adversaries are blending social engineering with trusted enterprise collaboration tools to bypass technical defenses. The campaigns were tied to ransomware operations and show a repeatable intrusion pattern in which attackers exploit user fatigue, trust in internal support workflows, and the widespread use of Microsoft 365 services. The reported tradecraft underscores the need for organizations to harden Teams and remote-support processes, verify help desk interactions through separate channels, and train staff to treat unsolicited support calls during email floods as suspicious, especially when they involve requests for remote access, credential entry, or security tool changes.
May 29, 2026