Microsoft Warns of Teams Attacks Abusing External Chats to Breach Enterprises

Microsoft has issued a new warning about a surge in cyberattacks that abuse external collaboration features in Microsoft Teams. The attacks rely on impersonation and social engineering to trick employees into granting access to corporate systems.

Security researchers, as reported by Bleeping Computer, say attackers pose as IT or helpdesk staff and target enterprise users through cross-tenant chats.

Attackers impersonate IT staff via external Teams chats

The campaign focuses on exploiting trust inside organizations. Attackers initiate conversations from external tenants and pretend to assist with account or security issues.

Victims often believe they are interacting with legitimate internal support. This tactic mirrors a recent wave of attacks where Microsoft warned macOS users about fake job interviews used to distribute malware.

The goal remains the same: gain remote access and extract sensitive company data.

Victims tricked into launching remote access sessions

Once trust is established, attackers convince users to start a remote session using tools such as Quick Assist.

This step gives attackers direct control over the system, allowing them to move quickly without exploiting software vulnerabilities.

After access is granted, attackers begin reconnaissance using built-in tools like Command Prompt and PowerShell. They check privileges, domain membership, and network visibility to plan the next steps.

Malware execution hides behind trusted applications

Attackers deploy payloads in user-writable directories such as ProgramData. They then execute malicious code using DLL side-loading techniques.

To avoid detection, they rely on trusted, signed applications, including software from Autodesk and Adobe, as well as Windows Error Reporting components.

This approach helps malicious activity blend with legitimate system processes.

Persistence and lateral movement target high-value systems

After establishing a foothold, attackers set up HTTPS-based command-and-control channels. They also modify the Windows Registry to maintain persistence across reboots.

For lateral movement, they use Windows Remote Management (WinRM) to reach domain-joined systems. High-value targets such as domain controllers often become the next objective.

Data exfiltration designed for stealth

Instead of large data transfers, attackers filter and extract only valuable information. This minimizes network noise and reduces the chance of detection.

Because the activity relies heavily on legitimate tools and native protocols, it often appears similar to routine IT operations.

Microsoft urges caution with external Teams messages

Microsoft recommends treating all external Teams messages as untrusted by default. Organizations should restrict and monitor remote assistance tools and closely track WinRM activity.

Users should also pay attention to built-in warnings about external participants and possible phishing attempts inside Teams.

In other cybersecurity news, the RedSun exploit is currently active in the wild alongside two additional zero-day threats, highlighting the growing complexity of modern attacks.