Redazione RHC : 29 August 2025 09:02
In recent months, as previously reported on Red Hot Cyber, a new front has emerged in the corporate phishing landscape: Microsoft Teams attacks in which attackers impersonate IT or help desk personnel. Taking advantage of the platform’s basic features, such as external communication allowed by default, attackers engage users with messages, calls, or screen-sharing requests, often intruding unsuspectingly into Teams chat. The effectiveness of these tactics has grown alongside the widespread adoption of Teams as the primary collaborative work tool.
The damage can occur when the victim, believing they are helping an internal technician, accesses remote control sharing or tools (such as Quick Assist, AnyDesk, or RMM tools). This allows attackers to install malware, compromise endpoints, disable protections, and advance laterally within the corporate network. One campaign, dubbed VEILDrive, showed how the attacker exploited a previously compromised account to send phishing messages through Teams and gain initial access.
A frequently observed modus operandi involves email bombing, a rapid flood of emails—even thousands in just a few minutes—to create a sense of urgency and push victims to seek technical help.
Attackers use this pretext to contact them via Teams. In this context, victims receive messages from unverified .onmicrosoft.com domains that include words like “helpdesk,” “IT,” or “support,” increasing the risk of confusion.
Attackers sometimes start by compromising internal Teams accounts or creating standalone Entra ID tenants, often using .onmicrosoft.com domains, especially without custom configurations. The differences between personal accounts, trial licenses, and corporate tenants then impact the logs generated and the available features.
One-to-one chat phishing exploits the ease with which you can search for external users via Teams and send them messages, a capability supported by the platform’s interface. Although Microsoft triggers alerts for external or suspicious messages, these can be circumvented at later stages of the attack.
Microsoft 365 logs provide important traces for investigation: events such as ChatCreated, MessageSent, UserAccepted and TeamsImpersonationDetected allow you to reconstruct suspicious conversations, identify clicks on external communication alerts, and even detect impersonation attempts.
In the case of voice calls (vishing), Teams displays no alerts on the victim side, and logs remain limited, generating only events like ChatCreated and MessageSent, making these calls difficult to distinguish from text chats. Furthermore, screen sharing can be easily enabled if the user falls for it, while remote control is blocked by default but can be activated via policy, increasing the attack surface.
To counter this threat, Team AXON offers a UEBA-based detection logic, enriched with scoring and context: unusual external chats, .onmicrosoft.com domains, patterns with suspicious keywords (e.g., helpdesk), use of non-ASCII characters (emoji), and TIMailData spikes related to email bombing. The analysis also considers events such as UserAccepted, user responses, or the addition of members to threads
The technical solutions complete the picture: the use of an Endpoint Detection and Response (EDR) system combined with new generation antivirus (Next-Gen AV) is recommended. These tools can block anomalous behavior, intercept malicious applications, and support post-event investigative activities.
Redazione