Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
Timeline
Oct 7, 2025
Microsoft publishes guidance to harden Teams against threat activity
Microsoft issued recommendations for organizations to better secure Teams environments, including stricter access controls and other defensive measures aimed at reducing abuse of the platform. The guidance accompanied Microsoft's public warning about Teams becoming a significant attack vector.
Oct 7, 2025
Threat actors expand Microsoft Teams abuse for persistence, espionage, and extortion
Microsoft disclosed broader abuse of Teams by multiple cybercriminal and state-backed actors for reconnaissance, persistence, data exfiltration, backdoor installation, ransom note delivery, and intimidation. Reported activity included use of administrative tools such as AADInternals and extortion tactics by groups including Octo Tempest.
Oct 7, 2025
Storm-1674 uses Microsoft Teams for social engineering and malware delivery
Microsoft reported that threat actor Storm-1674 abused Microsoft Teams chats to socially engineer targets and deliver malware, including DarkGate, using tooling such as TeamsPhisher. This marked a notable example of Teams being operationalized as an initial access and delivery channel in cyberattacks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
Related Stories
Microsoft Teams and Azure Tenant Abuse for Social Engineering Attacks
Microsoft is introducing a new feature that allows security administrators to block external users from sending messages, calls, or meeting invitations to their organization via Teams, managed through the Microsoft Defender portal. This integration with Defender for Office 365 enables admins to centrally manage blocked external contacts, supporting up to 4,000 domains and 200 email addresses, and is designed to counteract cybercrime groups, including ransomware actors, who exploit Teams for social engineering. The update will also enhance default security by enabling malicious URL detection and warning admins about suspicious external traffic, aiming to strengthen organizational defenses against external threats. Simultaneously, cybercriminals are exploiting legitimate Microsoft infrastructure, specifically `.onmicrosoft.com` domains assigned to Azure tenants, to launch Telephone-Oriented Attack Delivery (TOAD) scams. Attackers create controlled tenants and send malicious invites that appear to originate from trusted Microsoft addresses, bypassing standard email security filters. These invites contain social engineering lures in the message field, urging recipients to call fraudulent support numbers. Security teams are advised to implement targeted Exchange Transport Rules using Regex to mitigate this threat, as blocking the entire domain would disrupt legitimate operations.
1 months ago
Microsoft Teams Vishing Used to Gain Remote Access and Deploy Malware
Attackers used **Microsoft Teams** to impersonate IT or helpdesk staff and socially engineer employees into granting access or executing malicious actions, turning collaboration tooling and trusted support workflows into the initial access vector. One report describes a compromise at an Italy-based consumer services company where a Teams meeting invite and screen sharing session led the victim to run a staged **PowerShell** chain that deployed **PhantomBackdoor**, a multi-stage **WebSocket-based** backdoor associated with earlier spear-phishing activity. The observed sequence included post-call PowerShell execution, device reconnaissance, and establishment of WebSocket command-and-control. A second report describes a similar **vishing** intrusion in which a threat actor posing as support staff called employees through Teams and, after multiple attempts, convinced one user to grant remote access through **Quick Assist**. The attacker then directed the victim to a spoofed credential-harvesting site, used a malicious **MSI** and sideloaded **DLL** to launch follow-on payloads, and established outbound C2. While the malware families and exact post-compromise chains differ, both accounts document the same operational pattern: **Teams-based social engineering**, abuse of legitimate remote assistance or user-guided execution, credential theft or payload staging, and transition to hands-on intrusion activity inside a corporate environment.
1 months ago
Microsoft Teams Vulnerabilities Allowing Message and Caller Impersonation
Researchers at Check Point disclosed four critical vulnerabilities in Microsoft Teams that allowed attackers to impersonate executives, alter chat history, and forge notifications or caller identities without detection. These flaws, now patched, enabled manipulation of message content without the usual 'Edited' label, spoofing of alerts to appear from trusted colleagues, and renaming of chats to misrepresent participants. The vulnerabilities exploited Teams' messaging architecture, including the reuse of unique message identifiers and manipulation of hidden conversation parameters, fundamentally undermining the trust in digital communications for over 320 million monthly users. Microsoft was notified of the issues in March 2024 and addressed them through a series of patches, with the final fix released in October 2025. The vulnerabilities, tracked as CVE-2024-38197 among others, affected both internal users and external guests, posing significant risks of social engineering, data theft, and unauthorized actions. Attackers could trick users into clicking malicious links or sharing sensitive information by making messages and calls appear to originate from high-profile executives or trusted sources, highlighting the importance of prompt patching and ongoing vigilance in collaboration platforms.
1 months ago