Microsoft Teams Phishing Campaigns Drive MFA Theft and RMM-Based Intrusions
Threat actors are increasingly abusing workplace collaboration platforms, especially Microsoft Teams, to impersonate IT staff, vendors, and support personnel in social-engineering attacks that bypass user trust controls. Palo Alto Networks Unit 42 reported that collaboration-tool phishing accounted for 42% of all phishing alerts seen in Cortex during the first four months of 2026, up from 30% in the prior four-month period, showing a broader shift away from traditional email lures. The attacks commonly pressure users to approve multifactor authentication prompts or otherwise grant access, and researchers said both criminal and nation-state actors are using the technique.
Cyfirma separately identified an active Teams-themed campaign that uses fake meeting transcript and recording notifications to lure victims to counterfeit landing pages hosted on compromised websites and attacker-controlled cloud infrastructure, including Cloudflare Workers and Pages. Victims are served a signed Windows installer that silently deploys a legitimate remote monitoring and management tool connected to attacker relay servers, then establishes persistence through a Windows service and registry changes, including mechanisms that survive Safe Mode with Networking. The intrusion chain also includes anti-analysis checks and credential theft via a credential provider DLL and an LSA authentication package, indicating the campaign is designed to convert a trusted collaboration message into durable unauthorized access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Cyfirma identifies active Teams-themed RMM phishing campaign
Cyfirma identified an active phishing campaign that impersonates Microsoft Teams notifications with fake transcript or recording alerts to lure users to counterfeit landing pages. Victims who click receive a signed Windows installer that deploys a legitimate remote monitoring and management tool configured to connect to attacker-controlled relay servers, with persistence and credential-theft components.
Cyfirma-linked Teams impersonation infrastructure likely expanded
Cyfirma found that about 56% of the infrastructure tied to a Microsoft Teams impersonation campaign was three to six months old, indicating a likely expansion phase beginning around March 2026. The infrastructure included compromised legitimate websites and attacker-controlled Cloudflare Workers and Pages.
Unit 42 reports Teams social engineering used for MFA approval fraud
Palo Alto Networks Unit 42 reported that threat actors were abusing Microsoft Teams to impersonate IT personnel and trick users into approving multifactor authentication prompts, enabling compromise of organizational environments. The report said both criminal and nation-state actors were using the technique and that built-in impersonation and external-sender warnings were not always sufficient.
Collaboration-tool phishing rose to 42% of Cortex alerts in early 2026
Palo Alto Networks Unit 42 reported that phishing via workplace collaboration tools accounted for 42% of all phishing alerts in Cortex during the first four months of 2026, up from 30% in the preceding four months. The report described a broader shift away from traditional email phishing toward collaboration-platform abuse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Attackers Impersonate IT Support in Microsoft Teams Phishing Campaigns
Threat actors are increasingly using **Microsoft Teams** chats to impersonate IT staff or trusted business contacts, persuading employees to approve MFA prompts, click malicious links, or hand over credentials. Palo Alto Networks Unit 42 said the tactic has appeared in multiple intrusions, including **Cloaked Ursa/APT29** activity that used compromised accounts to send malicious Teams messages and **UNC6692** operations that posed as helpdesk personnel to socially engineer targets through the platform. The report said phishing delivered through collaboration tools is rising quickly, with Cortex telemetry showing such activity accounted for **42% of all phishing alerts** in the first four months of 2026, up from **30%** in the prior four-month period. Attackers are exploiting permissive Teams federation settings, unmanaged external accounts, typosquatted domains, and compromised partner tenants to appear legitimate, prompting defenders to tighten external communication controls, restrict federation to approved domains, disable unmanaged external access where possible, strengthen identity protections such as Conditional Access and **Entra Privileged Identity Management**, and monitor for suspicious external chat initiation.
Jun 9, 2026
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
Mar 21, 2026
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Mar 21, 2026