Logo
API_STATUS: OPTIMAL SYSTEM_LOAD: 12%> LATEST_CVE: CVE-2026-0012 [CRITICAL]> PATCH_UPLOAD: KB5034123 [SUCCESS]> INTEL_STREAM: REFRESHED_IN_2MS
CybersecurityThreat IntelMicrosoft TeamsSocial Engineering

Your IT Department Didn't Message You: How Threat Actors Weaponize Microsoft Teams

2026-02-06 AUTHORED_BY: OBFUSCATED
Your IT Department Didn't Message You: How Threat Actors Weaponize Microsoft Teams

A message appears in your Microsoft Teams chat. It's from "IT Support." They say they've noticed unusual activity on your account and need you to install a quick remote support tool so they can investigate. The display name looks right. The profile picture is the company logo. You're busy, it seems urgent, and it's coming through Teams — your company's official communication platform.

Except it's not your IT department. It's a ransomware operator sitting in a rogue Microsoft 365 tenant they spun up thirty minutes ago.

This isn't a theoretical scenario. It's the playbook behind some of the most damaging breaches of 2024 and 2025, and the attacks are accelerating into 2026.

Why Teams Is the New Attack Surface

For years, organizations poured resources into email security — spam filters, DMARC, Safe Links, phishing simulations. Attackers adapted. They moved to Microsoft Teams, where most organizations have zero phishing protection and users implicitly trust messages because "it's not email."

The architectural reason this works is a single default configuration: Microsoft Teams allows all external domains to communicate with your users by default. Any external tenant — including one an attacker created five minutes ago — can send messages and initiate calls to your employees unless an admin explicitly restricts it.

Most admins don't.

How the Attacks Work: Real Campaigns, Real Victims

Black Basta: The Email Bomb and Rescue Play

The Black Basta ransomware group (tracked by Microsoft as Storm-1811) perfected a two-stage social engineering technique that produced at least 21 confirmed breaches in North America and 18 in Europe:

Stage 1 — The Email Bomb. The attacker subscribes the target's email address to dozens of mailing lists and newsletter services simultaneously. Within minutes, the victim's inbox is flooded with hundreds of legitimate subscription confirmation emails. Outlook becomes unusable.

Stage 2 — The Rescue Call. While the victim is overwhelmed, a message arrives on Teams from an external account with a display name like "IT Service Desk" or "Help Desk Support." They explain they've noticed the email issue and can help fix it immediately. All the victim needs to do is open Quick Assist or install AnyDesk so the support technician can take a look.

Once the attacker has remote access, they deploy Cobalt Strike, move laterally, and the ransomware follows. The entire initial access phase takes under 30 minutes.

Black Basta's former members resurfaced in 2025 with updated Python-based payloads, proving the technique remains profitable enough to sustain ongoing operations.

3AM Ransomware: The VoIP Vishing Variant

The 3AM ransomware group took Black Basta's playbook and added voice. Their attack chain:

  1. Reconnaissance — identify specific employees and their phone numbers
  2. Email bombing — 24 emails in 3 minutes to create panic
  3. VoIP call via Teams — using a spoofed caller ID matching the company's actual IT department phone number
  4. Quick Assist deployment — the "technician" walks the victim through opening Quick Assist
  5. Persistence — in one documented case, the attackers deployed a virtual machine inside the victim's environment to evade endpoint detection, maintaining access for 9 days before deploying ransomware

Sophos documented 15 confirmed incidents and 55 additional attempted attacks using this technique.

Midnight Blizzard: State-Sponsored MFA Bypass

Russia's Midnight Blizzard (APT29/Cozy Bear) — the same group behind the SolarWinds compromise — used Teams for a targeted espionage campaign against government and diplomatic organizations.

Their approach was more surgical:

  1. Compromise a legitimate small-business Microsoft 365 tenant (these are cheap, plentiful, and poorly secured)
  2. Rename the tenant and create a subdomain that looks like a security operations team
  3. Send Teams messages to targets at government agencies, impersonating Microsoft technical support
  4. Convince the target to enter a code into the Microsoft Authenticator app

That last step is critical. The code was a device authentication code. By entering it, the victim completed the MFA challenge on the attacker's behalf, granting persistent token-based access to their account. MFA didn't help because the victim was the one completing it.

Storm-0324: Automated Phishing at Scale

Storm-0324 took the manual work out of Teams phishing by using TeamsPhisher, an open-source tool that automates the entire attack chain. TeamsPhisher manipulates the POST request ID in Teams API calls to make external users appear as internal contacts, then removes the target from the group chat after delivering the payload so the "External" user warning splash screen never appears to the victim.

The result: phishing messages that arrive in Teams looking exactly like internal communications, with no visual indicator that they came from outside the organization.

The Configuration That Makes It All Possible

The root cause is a single setting in the Microsoft Teams Admin Center:

External access → "People in my org can chat and have meetings with external users who have unmanaged Microsoft accounts"

When this is toggled On (the default), anyone with a free personal Microsoft Account — no organizational governance, no admin oversight, no security policies — can message your employees on Teams.

Combined with the fact that guest account display names are fully attacker-controlled and the Teams UI shows only a small, easily-missed "External" badge, the impersonation surface is enormous.

Device Code Phishing: The MFA Killer

The most technically sophisticated variant of Teams-based attacks uses device code phishing, and it deserves special attention because it defeats MFA entirely.

Here's the flow:

  1. The attacker registers a malicious Azure application
  2. They initiate a device code authentication flow, which generates a one-time code
  3. They send the code to the victim via Teams, disguised as a meeting invitation ("Enter this code to join the meeting")
  4. The victim navigates to microsoft.com/devicelogin — a legitimate Microsoft page — and enters the code
  5. The victim authenticates normally, including completing MFA
  6. The attacker's application receives the victim's OAuth refresh token

With that token, the attacker has persistent access to the victim's Microsoft 365 account — email, OneDrive, SharePoint, Teams, everything — until the token is revoked. No password was stolen. No MFA was bypassed in the traditional sense. The victim simply authenticated a session they didn't realize belonged to the attacker.

Storm-2372, a Russia-aligned group, has been running this technique against government, defense, telecom, and healthcare targets across multiple continents since August 2024. The Graphish phishing kit, available on criminal forums, has since automated the entire process, lowering the barrier to entry significantly. Multiple threat clusters are now operating this at scale.

What Your Organization Must Do

1. Fix External Access (Today)

Go to the Teams Admin Center → Users → External access and change the policy from "Allow all external domains" to a per-domain allowlist of known partner organizations. Block unmanaged (personal) Microsoft accounts entirely.

This is the single highest-impact security change you can make in Teams.

2. Harden Meeting Policies

  • Enforce lobby for all anonymous and external participants
  • Restrict who can bypass the lobby
  • Disable external participant screen sharing and control by default
  • Restrict the presenter role to organizers

3. Deploy Detection Rules

Build SIEM detections for:

  • RMM tool installation (AnyDesk, Quick Assist, TeamViewer) following Teams call or chat activity
  • Display name changes on external accounts communicating with internal users
  • Device code authentication events in Entra ID sign-in logs, especially from unfamiliar locations or applications
  • Email bombing patterns — dozens of subscription confirmations arriving in a short window

4. Restrict Device Code Authentication

Use Conditional Access policies to block or restrict the device code flow unless there's a legitimate business need (some IoT and kiosk scenarios require it). Monitor for device code sign-ins and treat them as high-risk events.

5. Educate Your Users

Your users need to know:

  • Internal IT will never contact you through an external Teams account. If the "External" badge appears, it's not your IT department.
  • No legitimate IT process requires you to enter a code at microsoft.com/devicelogin based on a Teams message.
  • If someone from "IT" asks you to install AnyDesk or Quick Assist during an unsolicited contact, hang up and call IT directly using a known phone number.
  • Email bombs are a distraction tactic. If your inbox suddenly fills with subscription emails, don't accept "help" from anyone who contacts you — report it to security immediately.

The Bigger Picture

Microsoft Teams has become the default collaboration platform for most organizations, and attackers have noticed. The shift from email-based phishing to Teams-based social engineering represents a fundamental change in the threat landscape — one that most security programs haven't caught up with yet.

The irony is sharp: organizations spent years hardening email, and attackers simply moved to the messaging platform that sits right next to it, where security controls are minimal and user trust is high.

The fixes are straightforward. The external access default is indefensible. The detection gaps are closable. But they require deliberate action from security teams who may not yet realize that Teams is no longer a safe space — it's a front door.

Stay updated on the latest intel by checking our Patches Dashboard.

END_OF_TRANSMISSION