Cybercriminals Exploit Microsoft Teams to Impersonate IT Support and Deploy Malware
In a concerning development, cybercriminals are increasingly exploiting Microsoft Teams’ collaboration features to impersonate IT helpdesk staff, facilitating unauthorized access and malware deployment. This tactic leverages the platform’s external communication capabilities, allowing attackers to bypass traditional email security measures and directly engage with organizational users.
The Attack Methodology
The attack typically begins with an unsolicited message or call from an external Teams account, where the attacker poses as a member of the organization’s IT support team. Utilizing social engineering techniques, the attacker convinces the victim to execute specific commands, approve remote access sessions, or install Remote Monitoring and Management (RMM) tools such as Quick Assist. Since these interactions occur within a trusted collaboration platform, they often evade conventional phishing defenses.
Microsoft’s Detection and Response Team (DART) has documented such campaigns since November 2025, noting their prevalence across multiple enterprise environments. Notably, affiliates of the Black Basta ransomware group have been observed employing this technique, combining Teams impersonation with credential theft tools like EvilProxy and SystemBC to establish persistence within targeted networks.
Utilizing Unified Audit Logs for Detection
To combat these sophisticated attacks, security researchers emphasize the importance of leveraging the Microsoft 365 Unified Audit Log (UAL) as a forensic tool. The `CallParticipantDetail` operation within the UAL records critical information, including participant identities, timestamps, connection metadata, and indicators of external or federated access. However, the schema of these logs can vary by tenant and ingestion path, necessitating validation by analysts before developing automated detection mechanisms.
It’s important to note that the `ChatCreated` event is not a reliable indicator of Teams client activity; its absence does not confirm that a chat did not occur. Audit records typically become available within 60 to 90 minutes, with a default retention period of 180 days. To reconstruct a comprehensive attack timeline, investigators should correlate `CallParticipantDetail` with related events such as `MessageSent`, `MessageCreatedHasLink`, and endpoint telemetry. For access to message body content, standard UAL queries are insufficient; Microsoft eDiscovery and Content Search workflows are required.
Recommended Defensive Measures
To mitigate the risks associated with these attacks, organizations are advised to implement the following measures:
– Restrict External Teams Federation: Limit cross-tenant communication to users or groups with a documented business need.
– Triage First-Contact External Activity: Treat any unsolicited external Teams call or message, especially those followed by URL sharing, Quick Assist launches, or script execution, as potential indicators of vishing attempts.
– Leverage UAL for Visibility: Utilize `Search-UnifiedAuditLog` with `-RecordType MicrosoftTeams` and combine the findings with endpoint telemetry to gain a comprehensive view of the attack chain.
– Monitor Enrichment Signals: Review events such as `TeamsImpersonationDetected` and `SecurityRiskInCallDetected` as supplementary indicators of potential threats.
– Block Quick Assist and Similar Tools: Implement policies to prevent the use of RMM tools that could be exploited by attackers to gain unauthorized access.
By adopting these proactive measures, organizations can enhance their defenses against the evolving threat landscape targeting collaboration platforms like Microsoft Teams.
