Microsoft has issued a warning that both cybercriminals and state-sponsored threat actors are increasingly abusing the features and capabilities of Microsoft Teams throughout their attack chains.
The platform’s extensive adoption for collaboration makes it a high-value target, with its core functions for messaging, calls, and screen-sharing being weaponized for malicious purposes.
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors.
Threat actors abuse its core capabilities, messaging (chat), calls, and meetings, and video-based screen-sharing at different points along the attack chain.
This raises the stakes for defenders to proactively monitor, detect, and respond. While Microsoft’s Secure Future Initiative (SFI) has strengthened default security, the company emphasizes that defenders must utilize available security controls to harden their enterprise Teams environments.
Hackers Abuse Teams Features
Attackers are leveraging the entire attack lifecycle within the Teams ecosystem, from initial reconnaissance to final impact, Microsoft said.
This involves a multi-stage process where the platform’s trusted status is exploited to infiltrate networks, steal data, and deploy malware.
The attack chain often begins with reconnaissance, where threat actors use open-source tools like TeamsEnum and TeamFiltration to enumerate users, groups, and tenants.
They map organizational structures and identify security weaknesses, such as permissive external communication settings.
This is followed by resource development, where attackers may compromise legitimate tenants or create new ones, complete with custom branding, to impersonate trusted entities like IT support.
Once they have established a credible persona, attackers move to initial access. This stage frequently involves social engineering tactics such as tech support scams.
For example, the threat actor Storm-1811 has impersonated tech support to address fabricated email issues, using the pretext to deploy ransomware.
Similarly, affiliates of the 3AM ransomware have flooded employees with junk email and then used Teams calls to convince them to grant remote access.
Malicious links and payloads are also delivered directly through Teams chats, with tools like AADInternals and TeamsPhisher being used to distribute malware like DarkGate.
Escalation and Lateral Movement
After gaining a foothold, threat actors focus on maintaining persistence and escalating privileges. They may add their own guest accounts, abuse device code authentication flows to steal access tokens, or use phishing lures to deliver malware that ensures long-term access.
The financially motivated group Octo Tempest has been observed using aggressive social engineering over Teams to compromise Multi-Factor Authentication (MFA) for privileged accounts.
With elevated access, attackers begin discovery and lateral movement. They use tools like AzureHound to map the compromised organization’s Microsoft Entra ID configuration and search for valuable data.
The state-sponsored actor Peach Sandstorm has used Teams to deliver malicious ZIP files and then explored on-premises Active Directory databases.
If an attacker gains admin access, they can alter external communication settings to establish trust relationships with other organizations, enabling lateral movement between tenants.
The final stages of the attack involve collection, command and control (C2), exfiltration, and impact. Attackers use tools like GraphRunner to search and export sensitive conversations and files from Teams, OneDrive, and SharePoint.
Some malware, like a cracked version of Brute Ratel C4 (BRc4), is designed to establish C2 channels using Teams’ own communication protocols to send and receive commands.
Data exfiltration can occur through Teams messages or shared links pointing to attacker-controlled cloud storage. The ultimate goal is often financial theft through extortion or ransomware.
Octo Tempest, for instance, has used Teams to send threatening messages to pressure organizations into making payments after successfully gaining control of their systems.
This demonstrates how the platform can be abused not just as an entry vector, but as a tool for direct financial coercion.
In response, experts recommend a defense-in-depth strategy, focusing on hardening identity and access controls, monitoring for anomalous activity within Teams, and providing continuous security awareness training to users.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
