Attackers Impersonate IT Support in Microsoft Teams Phishing Campaigns
Threat actors are increasingly using Microsoft Teams chats to impersonate IT staff or trusted business contacts, persuading employees to approve MFA prompts, click malicious links, or hand over credentials. Palo Alto Networks Unit 42 said the tactic has appeared in multiple intrusions, including Cloaked Ursa/APT29 activity that used compromised accounts to send malicious Teams messages and UNC6692 operations that posed as helpdesk personnel to socially engineer targets through the platform.
The report said phishing delivered through collaboration tools is rising quickly, with Cortex telemetry showing such activity accounted for 42% of all phishing alerts in the first four months of 2026, up from 30% in the prior four-month period. Attackers are exploiting permissive Teams federation settings, unmanaged external accounts, typosquatted domains, and compromised partner tenants to appear legitimate, prompting defenders to tighten external communication controls, restrict federation to approved domains, disable unmanaged external access where possible, strengthen identity protections such as Conditional Access and Entra Privileged Identity Management, and monitor for suspicious external chat initiation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Collaboration-tool phishing rose to 42% of phishing alerts
During the first four months of 2026, Cortex reported that phishing alerts originating from collaboration tools accounted for 42% of all phishing alerts, up from 30% in the prior four-month period.
UNC6692 impersonated IT helpdesk staff via Microsoft Teams
In December 2025, Mandiant-tracked UNC6692 was observed impersonating IT helpdesk personnel through Microsoft Teams chats to socially engineer targets.
APT29 used compromised accounts to send malicious Teams messages
In late 2024, Cloaked Ursa/APT29 used compromised accounts to deliver malicious Microsoft Teams messages as part of phishing and social engineering activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Teams Phishing Campaigns Drive MFA Theft and RMM-Based Intrusions
Threat actors are increasingly abusing workplace collaboration platforms, especially **Microsoft Teams**, to impersonate IT staff, vendors, and support personnel in social-engineering attacks that bypass user trust controls. Palo Alto Networks Unit 42 reported that collaboration-tool phishing accounted for **42%** of all phishing alerts seen in Cortex during the first four months of 2026, up from **30%** in the prior four-month period, showing a broader shift away from traditional email lures. The attacks commonly pressure users to approve multifactor authentication prompts or otherwise grant access, and researchers said both criminal and nation-state actors are using the technique. Cyfirma separately identified an active Teams-themed campaign that uses fake meeting transcript and recording notifications to lure victims to counterfeit landing pages hosted on compromised websites and attacker-controlled cloud infrastructure, including Cloudflare Workers and Pages. Victims are served a signed Windows installer that silently deploys a legitimate remote monitoring and management tool connected to attacker relay servers, then establishes persistence through a Windows service and registry changes, including mechanisms that survive Safe Mode with Networking. The intrusion chain also includes anti-analysis checks and credential theft via a credential provider DLL and an LSA authentication package, indicating the campaign is designed to convert a trusted collaboration message into durable unauthorized access.
Jun 24, 2026
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Mar 21, 2026
Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
Mar 21, 2026