Microsoft Teams and Azure Tenant Abuse for Social Engineering Attacks
Microsoft is introducing a new feature that allows security administrators to block external users from sending messages, calls, or meeting invitations to their organization via Teams, managed through the Microsoft Defender portal. This integration with Defender for Office 365 enables admins to centrally manage blocked external contacts, supporting up to 4,000 domains and 200 email addresses, and is designed to counteract cybercrime groups, including ransomware actors, who exploit Teams for social engineering. The update will also enhance default security by enabling malicious URL detection and warning admins about suspicious external traffic, aiming to strengthen organizational defenses against external threats.
Simultaneously, cybercriminals are exploiting legitimate Microsoft infrastructure, specifically .onmicrosoft.com domains assigned to Azure tenants, to launch Telephone-Oriented Attack Delivery (TOAD) scams. Attackers create controlled tenants and send malicious invites that appear to originate from trusted Microsoft addresses, bypassing standard email security filters. These invites contain social engineering lures in the message field, urging recipients to call fraudulent support numbers. Security teams are advised to implement targeted Exchange Transport Rules using Regex to mitigate this threat, as blocking the entire domain would disrupt legitimate operations.
Timeline
Jan 1, 2026
Microsoft schedules Teams security features to roll out in January 2026
Microsoft said the new Teams external user blocking feature would begin rolling out in January 2026 for customers with Defender for Office 365 Plan 1 or Plan 2. The company also said enhanced protections such as malicious URL detection and blocking of weaponizable file types would be enabled by default in the same timeframe.
Dec 24, 2025
Microsoft announces Teams external user blocking via Defender
Microsoft announced a new Teams security capability that will let administrators block external users, domains, messages, calls, and meeting invitations through the Defender for Office 365 Tenant Allow/Block List. The feature is intended to reduce social engineering and ransomware-related abuse of Teams.
Dec 22, 2025
Attackers abuse Azure .onmicrosoft.com domains for TOAD scam emails
Cybercriminals began using default .onmicrosoft.com domains tied to attacker-created Azure tenants to send Microsoft Invite notifications containing phone numbers for Telephone-Oriented Attack Delivery scams. The technique abuses trusted Microsoft infrastructure to evade many email security controls because the social engineering content appears in the email body.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Threat Actors Weaponize Microsoft Teams for Ransomware, Espionage, and Social Engineering
Microsoft has issued warnings about the increasing abuse of Microsoft Teams by both cybercriminals and state-sponsored threat actors for a range of malicious activities, including ransomware deployment, espionage, and social engineering attacks. The collaboration features and widespread adoption of Teams have made it a high-value target, with attackers exploiting its core capabilities such as messaging, calls, meetings, and video-based screen sharing at various stages of the attack chain. Threat actors have been observed conducting reconnaissance by enumerating directory objects and mapping relationships and privileges within Teams environments, often leveraging Microsoft Entra ID identities. Attackers may exploit federation tenant configurations to determine if external communication is permitted, which can be inferred from API responses. Microsoft has responded by strengthening default security through its Secure Future Initiative, but emphasizes that defenders must also utilize customer-facing security controls across identity, endpoints, data, apps, and network layers to harden Teams environments. The company provides detailed guidance for disrupting adversarial objectives, including recommendations for monitoring, detection, and response tailored to the unique risks of Teams. The attack chain often begins with reconnaissance and can progress to lateral movement, data exfiltration, or ransomware deployment, depending on the attacker’s objectives. Social engineering tactics, such as phishing via Teams chat or impersonation during meetings, have been reported as effective vectors for initial access. Microsoft highlights the importance of understanding the multi-tenant and cross-tenant communication features of Teams, which can be abused for lateral movement or to bypass traditional security boundaries. The guidance also addresses the need for robust logging and monitoring to detect suspicious activity, as well as the implementation of least privilege access and strong authentication measures. Organizations are urged to review their Teams configurations, especially regarding guest and external access, to minimize exposure. Microsoft’s recommendations are designed to complement existing security development lifecycle practices and provide actionable steps for enterprise defenders. The company continues to monitor evolving attacker techniques and update its security guidance accordingly. The warnings underscore the critical need for organizations to treat collaboration platforms like Teams as high-value assets requiring dedicated security strategies. By proactively implementing Microsoft’s recommended controls and maintaining vigilance, organizations can reduce the risk of compromise via Teams. The evolving threat landscape demonstrates that attackers are increasingly targeting collaboration tools as entry points into enterprise environments. Microsoft’s ongoing research and public advisories aim to equip defenders with the knowledge and tools necessary to counter these sophisticated threats.
1 months ago
Microsoft Teams Guest Chat Cross-Tenant Security Bypass
A significant security weakness has been identified in Microsoft Teams' guest chat feature, allowing attackers to bypass Defender for Office 365 protections when users accept invitations to external tenants. Security researchers from Ontinue revealed that when a user joins another organization's Teams environment as a guest, the security policies of the hosting tenant apply, not those of the user's home organization. This architectural flaw means that if the external tenant has minimal or no security controls, all advanced protections such as URL scanning, Safe Links, file sandboxing, and Zero-hour Auto Purge are effectively disabled for the guest user. Attackers can exploit this by creating their own Microsoft 365 tenants with security features turned off and inviting targets to collaborate, thereby exposing them to phishing, malware, and other threats without the usual safeguards. The issue is not a software bug but a fundamental limitation of how cross-tenant collaboration is managed in Microsoft Teams. Security experts warn that organizations may have a false sense of security, believing their protections follow users across tenants, when in reality, attackers can easily create "protection-free zones" to deliver malicious content undetected.
1 months ago
Microsoft Teams External Domains Anomalies Report Security Feature
Microsoft is introducing a new security feature for its Teams collaboration platform called the "External Domains Anomalies Report," aimed at enhancing the detection of suspicious or risky interactions with external organizations. This tool, scheduled for rollout in February 2026, will provide IT administrators with behavioral analytics to identify unusual communication patterns, such as sudden spikes in message volume to specific external domains or interactions with previously unseen domains. The feature is designed to address the growing security challenges posed by increased external collaboration and remote work, offering actionable intelligence to help prevent data leaks, social engineering attacks, and unauthorized use of third-party services. The report will be available for standard multi-tenant cloud environments via the Teams web platform and will help organizations maintain a balance between productive cross-organization work and robust data protection. In addition to this new reporting capability, Microsoft continues to enhance Teams' security posture by warning users about malicious links, improving protections against unsafe file types, and introducing features to block unauthorized screen captures and streamline client performance. The External Domains Anomalies Report represents a proactive step in giving administrators early visibility into potential threats arising from external communications.
1 months ago