A new wave of cyberattacks is targeting employees through a combination of inbox flooding and fake IT support contacts on Microsoft Teams, tricking users into handing over remote access to their own devices.
These attacks have been growing steadily since the start of 2026, and security researchers warn they are far from slowing down.
The attack usually begins with the victim receiving hundreds or even thousands of unwanted emails within a short time.
This technique, known as email bombing, creates panic and confusion, making the target feel like something has gone seriously wrong with their account.
When the victim is at their most anxious, a so-called “IT support specialist” reaches out via Microsoft Teams, offering to help fix the problem.
The contact looks legitimate, uses a professional-sounding name and IT-themed display details, and seems to know exactly what is happening. That is by design.
eSentire analysts identified multiple real-world intrusion cases where this exact pattern played out, leading to confirmed data exfiltration from compromised endpoints.
Researchers noted that in each case, threat actors impersonated internal IT support teams through Microsoft Teams, contacting users from external accounts with display names like “IT Protection Department” or “Windows Security Help Desk.”
These freshly created tenant names were designed to look as official as possible, while the accounts themselves were built using realistic full-name personas such as michaelturner@ or danielfoster@ rather than generic labels like helpdesk@ or admin@.
What makes this campaign especially concerning is how it blends social pressure with a trusted platform. Most employees use Microsoft Teams daily and are conditioned to expect IT messages there.
The attackers exploit that trust directly. Once a victim accepts help, they are asked to grant remote access through tools like Quick Assist or AnyDesk. From that point, the attacker has full control of the device.
According to eSentire’s 2026 Annual Cyber Threat Report, these attacks carried a 72% success rate, with activity increasing sharply between 2024 and 2025.
Groups including Scattered Spider, Payouts King, and UNC6692 have all been linked to variations of this technique.
The infrastructure behind these attacks is not improvised. Most malicious Teams messages originate from bulletproof hosting providers, including NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD.
Single IP addresses have been observed targeting multiple organizations at the same time, pointing to organized, infrastructure-backed operations.
How the Attack Unfolds After Access Is Granted
Once remote access is established, the real damage begins. In several observed cases, attackers downloaded portable versions of WinSCP directly from its official website and used the tool to quietly move files off the compromised system.
WinSCP is a legitimate file transfer application, which makes it harder to flag through standard security controls. By using real, trusted software for malicious purposes, attackers reduce the chance of triggering immediate alerts.
In a separate incident, threat actors used Quick Assist to deliver a malicious ZIP file named Email-Deployment-Process-System.zip onto the target machine.
The archive contained a Java binary that executed a malicious Java application, followed by data theft. This approach shows how attackers layer techniques to bypass defenses.
They use trusted remote access tools for entry and legitimate-looking file names to avoid raising suspicion during delivery.
Security teams and employees can take several steps to reduce the risk from these attacks.
Microsoft Teams should be configured to restrict messages and calls from external organizations unless required for business operations, and any allowed external contacts should be limited to verified, trusted partners.
External collaboration policies should include sender notifications so users know when they are speaking with someone outside the organization.
Remote access tools such as Quick Assist, AnyDesk, and ConnectWise should be blocked by policy unless operationally needed. File transfer utilities like WinSCP, RClone, FileZilla, and MegaSync should also be restricted.
Employees must be trained to recognize these tactics and to verify any unexpected IT request through a secondary channel, such as calling the official helpdesk number, sending a direct email, or logging a ticket through an internal system.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
