Microsoft has recently issued a warning about the increasing misuse of Microsoft Teams by both cybercriminals and state-sponsored actors. The platform’s widespread adoption for collaboration has made it a prime target, with its core functionalities—messaging, calls, and screen-sharing—being weaponized for malicious activities.
Exploitation of Teams Features
Attackers are leveraging the entire attack lifecycle within the Teams ecosystem, from initial reconnaissance to final impact. This multi-stage process exploits the platform’s trusted status to infiltrate networks, steal data, and deploy malware.
The attack chain often begins with reconnaissance, where threat actors use open-source tools like TeamsEnum and TeamFiltration to enumerate users, groups, and tenants. They map organizational structures and identify security weaknesses, such as permissive external communication settings.
Following reconnaissance, attackers may compromise legitimate tenants or create new ones, complete with custom branding, to impersonate trusted entities like IT support. This resource development stage sets the stage for initial access.
Initial Access and Social Engineering Tactics
Once a credible persona is established, attackers employ social engineering tactics to gain initial access. For instance, the threat actor Storm-1811 has impersonated tech support to address fabricated email issues, using this pretext to deploy ransomware. Similarly, affiliates of the 3AM ransomware have inundated employees with junk email and then used Teams calls to convince them to grant remote access.
Malicious links and payloads are also delivered directly through Teams chats, with tools like AADInternals and TeamsPhisher being used to distribute malware such as DarkGate.
Escalation and Lateral Movement
After gaining a foothold, threat actors focus on maintaining persistence and escalating privileges. They may add their own guest accounts, abuse device code authentication flows to steal access tokens, or use phishing lures to deliver malware that ensures long-term access.
The financially motivated group Octo Tempest has been observed using aggressive social engineering over Teams to compromise Multi-Factor Authentication (MFA) for privileged accounts.
With elevated access, attackers begin discovery and lateral movement. They use tools like AzureHound to map the compromised organization’s Microsoft Entra ID configuration and search for valuable data. The state-sponsored actor Peach Sandstorm has used Teams to deliver malicious ZIP files and then explored on-premises Active Directory databases.
If an attacker gains admin access, they can alter external communication settings to establish trust relationships with other organizations, enabling lateral movement between tenants.
Final Stages: Data Exfiltration and Impact
The final stages of the attack involve collection, command and control (C2), exfiltration, and impact. Attackers use tools like GraphRunner to search and export sensitive conversations and files from Teams, OneDrive, and SharePoint.
Some malware, like a cracked version of Brute Ratel C4 (BRc4), is designed to establish C2 channels using Teams’ own communication protocols to send and receive commands.
Data exfiltration can occur through Teams messages or shared links pointing to attacker-controlled cloud storage. The ultimate goal is often financial theft through extortion or ransomware. Octo Tempest, for instance, has used Teams to send threatening messages to pressure organizations into making payments after successfully gaining control of their systems.
Recommendations for Defense
In response to these threats, experts recommend a defense-in-depth strategy, focusing on hardening identity and access controls, monitoring for anomalous activity within Teams, and providing continuous security awareness training to users.
