Teams as attack surface: threat actors weaponise Microsoft's collaboration platform for helpdesk impersonation and lateral movement
Microsoft has observed threat actors increasingly abusing external Teams channels to impersonate helpdesk staff, deceive users into credential disclosure, and establish footholds for lateral movement within enterprise networks. The attack exploits Teams' legitimacy and ubiquity to bypass social engineering defences.
Affected
Threat actors are systematically abusing Microsoft Teams external collaboration features to conduct helpdesk impersonation campaigns at scale. Rather than relying on phishing emails, which trigger content filtering and user suspicion, attackers create Teams workspaces or join existing channels posing as IT support staff. This approach capitalises on the platform's legitimate status within enterprise environments and the assumption that internal communication channels are trustworthy.
The technical approach is straightforward but effective. Attackers either compromise low-privileged accounts, create new ones with plausible names, or exploit Teams' guest access model to establish presence. Once positioned, they initiate direct messages claiming urgent security issues, account lockouts, or policy compliance requirements. They direct targets to credential submission portals, multi-factor authentication bypass flows, or malware payloads hosted on legitimate infrastructure. Teams' built-in document sharing and integration capabilities provide additional attack surface for delivering payloads or credential harvesting forms.
The threat is particularly acute because Teams traffic is ordinarily not scrutinised at the same level as external email. Organisations often whitelist Teams communications entirely, reasoning that internal collaboration should flow freely. Attackers exploit this asymmetry: they gain plausible legitimacy through the platform whilst operating outside traditional email security controls. Once they obtain credentials, they have direct access to internal Teams channels, SharePoint repositories, and other Microsoft 365 assets, enabling rapid reconnaissance and lateral movement.
Defenders should treat external Teams access as a perimeter control point equivalent to email gateways. This means implementing user training specifically addressing Teams-based social engineering (distinct from email phishing awareness), disabling external guest access where unnecessary, and monitoring Teams direct messages for anomalous patterns. Security teams should establish escalation procedures for suspicious IT support requests, ensuring that legitimate helpdesk interactions never route through Teams direct messages without verification. Additionally, organisations should review Teams guest policies and consider requiring managed identities for external collaboration rather than permitting unverified guest accounts.
The broader implication is that as organisations harden email security, threat actors are systematically migrating to alternative communication platforms where users maintain higher trust thresholds and security controls are less mature. Teams is merely the current focus; Slack, Discord, and other collaboration tools will likely see similar campaigns as adversaries optimise their attack chains. The pattern suggests a maturation of social engineering tactics toward platform diversification, requiring defenders to adopt a unified approach to communication security across their entire collaboration stack rather than defending email in isolation.
Sources