Microsoft has recently alerted users to a rising trend where both cybercriminals and state-sponsored actors are exploiting Microsoft Teams’ functionalities to execute sophisticated attack chains. The platform’s widespread use for collaboration makes it an attractive target, with its core features—messaging, calls, and screen-sharing—being weaponized for malicious activities.
Exploitation of Teams Features
Attackers are leveraging the entire lifecycle within the Teams ecosystem, from initial reconnaissance to final impact. This multi-stage process exploits the platform’s trusted status to infiltrate networks, steal data, and deploy malware.
Initial Reconnaissance
The attack chain often begins with reconnaissance, where threat actors use open-source tools like TeamsEnum and TeamFiltration to enumerate users, groups, and tenants. They map organizational structures and identify security weaknesses, such as permissive external communication settings.
Resource Development
Following reconnaissance, attackers may compromise legitimate tenants or create new ones, complete with custom branding, to impersonate trusted entities like IT support.
Initial Access
Once they have established a credible persona, attackers move to initial access. This stage frequently involves social engineering tactics such as tech support scams. For example, the threat actor Storm-1811 has impersonated tech support to address fabricated email issues, using the pretext to deploy ransomware. Similarly, affiliates of the 3AM ransomware have flooded employees with junk email and then used Teams calls to convince them to grant remote access. Malicious links and payloads are also delivered directly through Teams chats, with tools like AADInternals and TeamsPhisher being used to distribute malware like DarkGate.
Escalation and Lateral Movement
After gaining a foothold, threat actors focus on maintaining persistence and escalating privileges. They may add their own guest accounts, abuse device code authentication flows to steal access tokens, or use phishing lures to deliver malware that ensures long-term access. The financially motivated group Octo Tempest has been observed using aggressive social engineering over Teams to compromise Multi-Factor Authentication (MFA) for privileged accounts.
With elevated access, attackers begin discovery and lateral movement. They use tools like AzureHound to map the compromised organization’s Microsoft Entra ID configuration and search for valuable data. The state-sponsored actor Peach Sandstorm has used Teams to deliver malicious ZIP files and then explored on-premises Active Directory databases. If an attacker gains admin access, they can alter external communication settings to establish trust relationships with other organizations, enabling lateral movement between tenants.
Final Stages: Collection, Command and Control, Exfiltration, and Impact
In the final stages of the attack, attackers use tools like GraphRunner to search and export sensitive conversations and files from Teams, OneDrive, and SharePoint. Some malware, like a cracked version of Brute Ratel C4 (BRc4), is designed to establish command and control (C2) channels using Teams’ own communication protocols to send and receive commands. Data exfiltration can occur through Teams messages or shared links pointing to attacker-controlled cloud storage. The ultimate goal is often financial theft through extortion or ransomware. Octo Tempest, for instance, has used Teams to send threatening messages to pressure organizations into making payments after successfully gaining control of their systems. This demonstrates how the platform can be abused not just as an entry vector, but as a tool for direct financial coercion.
Recommendations for Defense
In response, experts recommend a defense-in-depth strategy, focusing on hardening identity and access controls, monitoring for anomalous activity within Teams, and providing continuous security awareness training to users.
