When “Hi, This Is IT” Comes Through Microsoft Teams
Threat actors are increasingly using Microsoft Teams as a vector for phishing attacks by impersonating IT support staff to trick employees into approving MFA prompts or divulging credentials. These attacks exploit the trust users place in internal collaboration tools and leverage permissive external communication settings in Teams. Attackers may use compromised or typosquatted accounts and exploit default federation settings to initiate chats that appear legitimate. The threat is not due to inherent insecurity in Teams but rather overly permissive configurations and user trust. Mitigations include tightening external communication policies, enhancing user training specific to collaboration tool phishing, and applying identity-centric controls such as conditional access and just-in-time privileged access. Monitoring and reporting suspicious Teams messages also help reduce risk. This attack vector is growing as phishing via email becomes harder to execute successfully.
AI Analysis
Technical Summary
This threat involves phishing attacks conducted through Microsoft Teams, where attackers impersonate IT department personnel to deceive employees into approving MFA prompts or entering credentials. The attacks leverage external chat capabilities and federation features in Teams, often exploiting compromised or lookalike Microsoft 365 tenants to appear legitimate. The attackers rely on user trust in collaboration tools and permissive external communication settings to initiate chats that bypass traditional email phishing defenses. Notable threat actors such as Cloaked Ursa (APT29) and UNC6692 have operationalized this technique. Defenses focus on restricting external chat initiation, user awareness training tailored to Teams, and enforcing identity protection policies. Microsoft Teams includes impersonation warnings, but user vigilance remains critical. Organizations should configure Teams to limit external communications and monitor for suspicious activity to reduce exposure.
Potential Impact
Successful phishing attacks via Microsoft Teams can lead to credential compromise and unauthorized access to organizational resources. The attacks exploit trusted communication channels, increasing the likelihood of user interaction and subsequent account compromise. This can result in identity theft, lateral movement within networks, and potential data breaches. The threat actors have demonstrated the ability to bypass traditional email phishing defenses by shifting to collaboration platforms. The impact is medium severity given the reliance on social engineering and the potential for significant access if successful.
Mitigation Recommendations
A fix for this threat involves configuration changes and user training rather than software patching. Organizations should review and tighten Microsoft Teams external communication settings by disabling or restricting chats from unmanaged or personal accounts and limiting federation to specific trusted domains. User awareness training must explicitly cover phishing risks in collaboration tools, including recognizing external indicators and verifying unexpected IT support requests through separate channels. Identity protections such as Conditional Access policies and just-in-time privileged access management should be enforced to reduce risk from compromised accounts. Monitoring external chat initiation and enabling user reporting of suspicious messages can help detect and respond to attacks. These mitigations align with Microsoft’s best practices and Unit 42 recommendations.
When “Hi, This Is IT” Comes Through Microsoft Teams
Description
Threat actors are increasingly using Microsoft Teams as a vector for phishing attacks by impersonating IT support staff to trick employees into approving MFA prompts or divulging credentials. These attacks exploit the trust users place in internal collaboration tools and leverage permissive external communication settings in Teams. Attackers may use compromised or typosquatted accounts and exploit default federation settings to initiate chats that appear legitimate. The threat is not due to inherent insecurity in Teams but rather overly permissive configurations and user trust. Mitigations include tightening external communication policies, enhancing user training specific to collaboration tool phishing, and applying identity-centric controls such as conditional access and just-in-time privileged access. Monitoring and reporting suspicious Teams messages also help reduce risk. This attack vector is growing as phishing via email becomes harder to execute successfully.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves phishing attacks conducted through Microsoft Teams, where attackers impersonate IT department personnel to deceive employees into approving MFA prompts or entering credentials. The attacks leverage external chat capabilities and federation features in Teams, often exploiting compromised or lookalike Microsoft 365 tenants to appear legitimate. The attackers rely on user trust in collaboration tools and permissive external communication settings to initiate chats that bypass traditional email phishing defenses. Notable threat actors such as Cloaked Ursa (APT29) and UNC6692 have operationalized this technique. Defenses focus on restricting external chat initiation, user awareness training tailored to Teams, and enforcing identity protection policies. Microsoft Teams includes impersonation warnings, but user vigilance remains critical. Organizations should configure Teams to limit external communications and monitor for suspicious activity to reduce exposure.
Potential Impact
Successful phishing attacks via Microsoft Teams can lead to credential compromise and unauthorized access to organizational resources. The attacks exploit trusted communication channels, increasing the likelihood of user interaction and subsequent account compromise. This can result in identity theft, lateral movement within networks, and potential data breaches. The threat actors have demonstrated the ability to bypass traditional email phishing defenses by shifting to collaboration platforms. The impact is medium severity given the reliance on social engineering and the potential for significant access if successful.
Mitigation Recommendations
A fix for this threat involves configuration changes and user training rather than software patching. Organizations should review and tighten Microsoft Teams external communication settings by disabling or restricting chats from unmanaged or personal accounts and limiting federation to specific trusted domains. User awareness training must explicitly cover phishing risks in collaboration tools, including recognizing external indicators and verifying unexpected IT support requests through separate channels. Identity protections such as Conditional Access policies and just-in-time privileged access management should be enforced to reduce risk from compromised accounts. Monitoring external chat initiation and enabling user reporting of suspicious messages can help detect and respond to attacks. These mitigations align with Microsoft’s best practices and Unit 42 recommendations.
Technical Details
- Article Source
- {"url":"https://unit42.paloaltonetworks.com/microsoft-teams-phishing/","fetched":true,"fetchedAt":"2026-06-08T23:13:03.970Z","wordCount":1914}
Threat ID: 6a274c7fe29bf47b50bcef5a
Added to database: 6/8/2026, 11:13:03 PM
Last enriched: 6/8/2026, 11:13:13 PM
Last updated: 6/9/2026, 6:23:05 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.