Redazione RHC : 8 October 2025 07:28
The Microsoft Teams collaboration platform has become a popular target for attackers, as its widespread adoption has made it a high-value target. Messaging, calling, and screen-sharing features are being exploited for malicious purposes. According to a Microsoft advisory, both state-sponsored threat actors and cybercriminals are increasingly abusing Teams’ features and capabilities in their attack chains.
Threat actors misuse its core features, namely messaging (chat), calling, meetings, and video-based screen sharing, at several points in the attack chain.
This raises the stakes for security managers, who must proactively monitor, detect, and respond. While Microsoft’s Secure Future Initiative (SFI) has strengthened security, the company emphasizes that security managers must use available security controls to harden their corporate Teams environments.
Attackers are exploiting the entire attack lifecycle within the Teams ecosystem, from initial reconnaissance to final impact, Microsoft said. This is a multi-stage process in which the platform’s trust state is exploited to infiltrate networks, steal data, and distribute malware.
The attack chain often begins with reconnaissance, during which threat actors use open source tools like TeamsEnum and TeamFiltration to enumerate users, groups, and tenants. They map organizational structures and identify security weaknesses, such as permissive external communication settings.
Attackers then proceed to exploit resources by compromising legitimate tenants or creating new, custom-branded ones to impersonate trusted entities, such as IT support. Once a credible identity has been established, attackers proceed with initial access, often using social engineering tactics, including tech support scams.
A prime example is the threat actor S torm-1811, who disguised himself as a support technician tasked with fixing alleged email issues , using this cover to spread ransomware. A similar approach was adopted by the affiliates of the 3AM ransomware, who inundated employees with unsolicited emails and then used Teams calls to persuade them to grant remote access.
Once established, threat actors focus on maintaining persistence and escalating privileges. They can add their own guest accounts, abuse device passcode authentication flows to steal access tokens, or use phishing lures to distribute malware that secures long-term access.
The financially motivated Octo Tempest group was observed using aggressive social engineering on Teams to compromise multi-factor authentication (MFA) for privileged accounts. With elevated access, attackers begin to discover and move laterally. They use tools like AzureHound to map the compromised organization’s Microsoft Sign In ID configuration and search for valuable data.
Redazione