This post is also available in:
עברית (Hebrew)
Microsoft has issued a detailed warning about the growing use of Teams as a vector for cyberattacks. In a newly released report, the company highlights how both criminal groups and nation-state actors are exploiting Teams across multiple stages of the attack lifecycle—from reconnaissance to persistence—posing a significant security risk to organizations.
The report outlines how attackers are leveraging Teams not just as a communications tool, but as an entry point for credential theft, data exfiltration, malware distribution, and impersonation. According to Microsoft’s Threat Intelligence team, Teams is now being treated by adversaries as a multi-purpose platform for social engineering and intrusion, similar to how email has been abused in the past.
One of the key concerns is that attackers can gather intelligence by identifying weakly protected users or groups, especially when external access and guest participation are enabled. Without strong privacy settings, a threat actor can observe user availability, join external meetings, and engage unsuspecting employees in direct messages or calls.
The platform’s structure allows attackers to impersonate internal support personnel, sometimes using custom branding and domains to add legitimacy. In some cases, adversaries have purchased legitimate tenants to carry out operations under the guise of a trustworthy entity.
Microsoft cited recent incidents where actors delivered remote access tools and malware via Teams messages or live calls, including through tools like TeamsPhisher. One group, identified as Storm-1811, impersonated tech support to trick users into downloading malware. In other cases, actors mimicked clients during calls to convince victims to install remote desktop software such as AnyDesk, which was later used for malware deployment.
Persistence is another concern. Even after initial compromise is detected, attackers can use Teams to maintain access—by creating guest accounts, exploiting admin tools, or modifying startup configurations to reintroduce malicious payloads.
Microsoft recommends implementing layered defenses across identity, endpoint, network, and data environments, and advises Teams administrators to restrict external access where possible, monitor tenant activity, and apply stricter authentication policies.
As collaboration platforms continue to expand their role in enterprise operations, their security posture will be critical to defending against both targeted and opportunistic threats.
