Attackers are increasingly abusing Microsoft Teams to impersonate staff, deliver malware, and steal data, Microsoft’s threat team has warned.
Microsoft has issued a security alert about a rising wave of cyberattacks targeting its collaboration platform, Teams. According to the company’s Threat Intelligence team, attackers are using Teams not only to deliver malware but also to gather information, impersonate trusted parties, steal credentials, and exfiltrate data. Both financially motivated cybercriminals and state-backed groups have been observed exploiting Teams across multiple stages of the attack lifecycle.
Microsoft’s report details how Teams is being misused during every phase of an attack, from reconnaissance to persistence. Attackers can identify vulnerable users, groups, or organizations by exploiting Teams' external access features. Without Privacy mode enabled, user availability and presence information can be exposed to outsiders, enabling further targeting.
Threat actors then use social engineering tactics, impersonating IT support or help desks, registering fake domains, and even purchasing legitimate tenants to appear credible. These tactics have included phone calls, chat messages, and even video calls designed to trick users into installing remote access tools or revealing sensitive information.
Once access is obtained, hackers use Teams to deliver infostealer malware and ransomware. Tools like TeamsPhisher have been used to distribute malware such as DarkGate, while remote desktop applications like AnyDesk have also been used in social engineering schemes.
Even after detection, attackers maintain persistence by creating guest accounts, altering shortcuts, and embedding malicious tools in startup folders. Admin accounts are especially vulnerable due to their elevated privileges and access to Teams management tools.
Microsoft warned that attackers often analyze Teams configurations and APIs to gather information that can support broader attacks. With access tokens, roles, and app permissions, attackers can conduct lateral movement or impersonate users in different organizations. In one case, attackers posed as IT staff and convinced a user at a different company to authorize remote access.
Teams has also been used for command-and-control communication and even as a channel for sending ransom demands. Microsoft stated the need to strengthen identity and endpoint security, as well as configure Teams with stricter network and app controls.
According to Cybersecurity News, the rise in Teams-based attacks shows how collaboration tools can be exploited “not just as an entry vector, but as a tool for direct financial coercion.” Experts urged organizations to adopt a defense-in-depth strategy, which includes hardening identity and access controls, monitoring for abnormal activity inside Teams, and ensuring employees receive continuous security awareness training to recognize impersonation and social engineering attempts.
Unlike email, Teams integrates real-time messaging, meetings, file sharing, and external access, creating more vectors for impersonation, lateral movement, and malware delivery within a trusted environment.
External tenants refer to users or organizations outside your company who can interact via Teams. If not properly managed, they can be impersonated or exploited to gain unauthorized access to meetings or files.
Admin accounts have elevated permissions, allowing attackers to manage users, apps, and configurations. Compromise can enable large-scale changes or backdoor persistence.
Yes. Some malware is delivered directly through Teams messages or chats, bypassing email filters. If endpoint security isn’t integrated with Teams activity, these attacks may go unnoticed.
Microsoft recommends enforcing strong identity verification, limiting external access, monitoring Teams API usage, disabling unused features, and applying endpoint protection across all connected devices.