Unmasking the Deception: The New Frontier of Microsoft Teams Phishing

A new and alarmingly sophisticated threat is exploiting the very features designed for collaboration within Microsoft Teams. Cybercriminals are now impersonating IT helpdesk staff, leveraging Teams' default settings to bypass traditional email security and initiate direct, persuasive attacks. This new wave of vishing, or voice phishing, is a significant shift in the cybersecurity landscape, combining social engineering with legitimate platform functionality to gain unauthorised access and control.

The attack vector is deceptively simple. Threat actors create malicious accounts with .onmicrosoft.com domains—Microsoft’s default fallback—and use Teams’ external collaboration features to find and target unsuspecting users. While Microsoft has implemented some text-based warnings for external communications, attackers have found a critical loophole: voice calls. Unlike chat messages, a voice call from an external Teams user generates no security warnings, creating a seamless and trustworthy-seeming interaction.

Once a voice connection is established, the attacker, posing as a helpful IT professional, requests screen-sharing permissions. This step allows them to observe the victim’s activities, identify sensitive information, and guide them toward malicious actions. The most concerning aspect of this campaign is the potential for full remote control. While the "Give Control" feature is disabled by default for external participants, organisations that have modified these settings are dangerously exposed. An attacker can use Teams’ built-in remote control to take over a victim's workstation, bypassing the need for traditional remote access tools and leaving minimal digital footprints.

Detecting these attacks requires a proactive and vigilant security posture. Security teams must move beyond simple email monitoring and delve into the specifics of Microsoft 365 audit logs. Key indicators include ChatCreated and MessageSent events, which provide crucial metadata about the attackers and their communications. Advanced threat hunting can involve monitoring for specific log patterns, such as ChatCreated operations with foreign tenants and one-on-one communication types.

As these threats evolve, a multi-layered defense is essential, combining robust log monitoring with comprehensive user education to ensure employees are equipped to recognise and resist these new forms of deception.