A new phishing campaign is exploiting Microsoft Teams’ external collaboration features to impersonate IT help desk staff and trick users into granting unauthorized screen-sharing and remote-control access. Cybercriminals are leveraging the platform’s default configuration, which allows external communication without prior authentication, creating a significant attack surface that bypasses traditional email security and relies heavily on social engineering.
Reports by Axon Team detail that attackers are initiating contact with victims through one-on-one chat phishing, either by compromising legitimate Teams accounts or by creating malicious Entra ID tenants using Microsoft’s default .onmicrosoft.com domains. These accounts enable fraudsters to approach organizational users, appearing credible while exploiting Teams’ integrated communication tools. Reconnaissance is conducted through Teams’ user search, confirming email validity and communication capability before an attack begins. Although Microsoft has implemented warnings such as “external communication” pop-ups and potential phishing alerts, attackers have developed workarounds.
One method gaining traction is voice call phishing, or vishing. Unlike chat messages, external voice calls in Teams do not trigger security warnings, giving attackers a frictionless channel to build trust. Once rapport is established, victims are persuaded to enable screen sharing, allowing attackers to monitor activity and manipulate users into performing harmful actions. The most alarming cases involve scenarios where organizations have altered default settings to allow remote control features. In such cases, attackers can escalate from observation to full system access, bypassing the need for conventional remote administration tools like AnyDesk or QuickAssist.
Axon Team’s research emphasizes that security detection remains possible through Microsoft 365 audit logs. Indicators such as ChatCreated entries, which log the creation of new chats with metadata like thread IDs and tenant organization details, are early signs of malicious activity. MessageSent logs further assist by tracking sender IPs and URLs, though message bodies are excluded. Additional flags include UserAccepted events, marking when users approve external requests, and TeamsImpersonationDetected alerts triggered by brand impersonation detection algorithms. Advanced detection strategies require close monitoring of audit log entries with foreign tenant parameters and one-on-one communication identifiers.
As attackers refine these techniques, organizations are being urged to strengthen their defenses by tightening external communication policies, increasing user awareness training around IT help desk impersonation tactics, and enhancing log monitoring for suspicious patterns. The growing abuse of Teams’ built-in collaboration features demonstrates how legitimate enterprise tools are being repurposed by malicious actors, highlighting the need for continuous vigilance in safeguarding digital workplaces.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
