Microsoft Teams and Azure Tenant Abuse for Social Engineering Attacks
Microsoft is introducing a new feature that allows security administrators to block external users from sending messages, calls, or meeting invitations to their organization via Teams, managed through the Microsoft Defender portal. This integration with Defender for Office 365 enables admins to centrally manage blocked external contacts, supporting up to 4,000 domains and 200 email addresses, and is designed to counteract cybercrime groups, including ransomware actors, who exploit Teams for social engineering. The update will also enhance default security by enabling malicious URL detection and warning admins about suspicious external traffic, aiming to strengthen organizational defenses against external threats.
Simultaneously, cybercriminals are exploiting legitimate Microsoft infrastructure, specifically .onmicrosoft.com domains assigned to Azure tenants, to launch Telephone-Oriented Attack Delivery (TOAD) scams. Attackers create controlled tenants and send malicious invites that appear to originate from trusted Microsoft addresses, bypassing standard email security filters. These invites contain social engineering lures in the message field, urging recipients to call fraudulent support numbers. Security teams are advised to implement targeted Exchange Transport Rules using Regex to mitigate this threat, as blocking the entire domain would disrupt legitimate operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft schedules Teams security features to roll out in January 2026
Microsoft said the new Teams external user blocking feature would begin rolling out in January 2026 for customers with Defender for Office 365 Plan 1 or Plan 2. The company also said enhanced protections such as malicious URL detection and blocking of weaponizable file types would be enabled by default in the same timeframe.
Microsoft announces Teams external user blocking via Defender
Microsoft announced a new Teams security capability that will let administrators block external users, domains, messages, calls, and meeting invitations through the Defender for Office 365 Tenant Allow/Block List. The feature is intended to reduce social engineering and ransomware-related abuse of Teams.
Attackers abuse Azure .onmicrosoft.com domains for TOAD scam emails
Cybercriminals began using default .onmicrosoft.com domains tied to attacker-created Azure tenants to send Microsoft Invite notifications containing phone numbers for Telephone-Oriented Attack Delivery scams. The technique abuses trusted Microsoft infrastructure to evade many email security controls because the social engineering content appears in the email body.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
Mar 21, 2026
Attackers Impersonate IT Support in Microsoft Teams Phishing Campaigns
Threat actors are increasingly using **Microsoft Teams** chats to impersonate IT staff or trusted business contacts, persuading employees to approve MFA prompts, click malicious links, or hand over credentials. Palo Alto Networks Unit 42 said the tactic has appeared in multiple intrusions, including **Cloaked Ursa/APT29** activity that used compromised accounts to send malicious Teams messages and **UNC6692** operations that posed as helpdesk personnel to socially engineer targets through the platform. The report said phishing delivered through collaboration tools is rising quickly, with Cortex telemetry showing such activity accounted for **42% of all phishing alerts** in the first four months of 2026, up from **30%** in the prior four-month period. Attackers are exploiting permissive Teams federation settings, unmanaged external accounts, typosquatted domains, and compromised partner tenants to appear legitimate, prompting defenders to tighten external communication controls, restrict federation to approved domains, disable unmanaged external access where possible, strengthen identity protections such as Conditional Access and **Entra Privileged Identity Management**, and monitor for suspicious external chat initiation.
Jun 9, 2026
Microsoft Teams Phishing Campaigns Drive MFA Theft and RMM-Based Intrusions
Threat actors are increasingly abusing workplace collaboration platforms, especially **Microsoft Teams**, to impersonate IT staff, vendors, and support personnel in social-engineering attacks that bypass user trust controls. Palo Alto Networks Unit 42 reported that collaboration-tool phishing accounted for **42%** of all phishing alerts seen in Cortex during the first four months of 2026, up from **30%** in the prior four-month period, showing a broader shift away from traditional email lures. The attacks commonly pressure users to approve multifactor authentication prompts or otherwise grant access, and researchers said both criminal and nation-state actors are using the technique. Cyfirma separately identified an active Teams-themed campaign that uses fake meeting transcript and recording notifications to lure victims to counterfeit landing pages hosted on compromised websites and attacker-controlled cloud infrastructure, including Cloudflare Workers and Pages. Victims are served a signed Windows installer that silently deploys a legitimate remote monitoring and management tool connected to attacker relay servers, then establishes persistence through a Windows service and registry changes, including mechanisms that survive Safe Mode with Networking. The intrusion chain also includes anti-analysis checks and credential theft via a credential provider DLL and an LSA authentication package, indicating the campaign is designed to convert a trusted collaboration message into durable unauthorized access.
Jun 24, 2026