Microsoft Teams Phishing Campaigns Exploit Trust in Internal Communications
Attackers are conducting social engineering campaigns through Microsoft Teams, impersonating IT staff to obtain credentials and access. This represents a significant threat because Teams' position as a trusted internal communication channel makes users more likely to comply with requests.
Affected
Attackers are exploiting the inherent trust users place in Microsoft Teams as an internal communication platform. When a message arrives claiming to be from IT support, users are psychologically primed to comply, particularly if the request involves urgent security or system maintenance language. This campaign represents a shift in phishing tactics away from email toward collaboration tools, which typically have weaker external threat detection and fewer security controls than email gateways.
The technical barrier to entry is extremely low. Attackers either compromise legitimate Teams accounts through credential theft or account takeover, or they create accounts with names mimicking IT departments or senior staff. Teams' lack of display-name verification and the platform's position within corporate networks means messages bypass external email filters entirely. Message requests for credential verification, VPN access, or MFA re-authentication are common vectors, with attackers using urgency and authority to bypass normal verification steps.
Organisations relying on security perimeter controls around email are particularly vulnerable because Teams conversations often bypass those controls. Users internalise Teams as 'safe' traffic and apply different judgment criteria than they would to external communications. This psychological component is as significant as the technical one. Attackers are banking on the assumption that internal users will not rigorously verify the identity of someone claiming to be IT support through a platform that feels inherently corporate and controlled.
Defenders should implement multi-factor authentication on Teams accounts, restrict who can create distribution lists or accounts that impersonate IT functions, and establish explicit verification protocols for sensitive requests. User awareness training must specifically address Teams phishing, emphasising that internal communication platforms can be compromised. Organisations should also monitor Teams for suspicious account activity, impossible travel scenarios, and communications requesting sensitive data or system changes. Teams application policies should restrict external sharing and enforce data loss prevention rules on sensitive credential formats.
This campaign highlights a broader blindspot in enterprise security: as email becomes harder to exploit, attackers systematically migrate to whatever communication tool has achieved organisational trust. Teams is ubiquitous in corporate environments, making it an attractive target. The risk will intensify as more organisations move away from email-centric collaboration, and defenders must treat trusted internal platforms with the same scrutiny applied to external threats.
Sources