Microsoft Teams used in Phishing Attacks

Ransomware Gangs Impersonate IT Support on Microsoft Teams

Ransomware campaigns have recently taken a new turn by moving beyond traditional email-based phishing to target collaboration platforms such as Microsoft Teams.
In these attacks, threat actors pose as internal IT support staff, exploiting the trust employees place in corporate messaging tools. By masquerading as legitimate support personnel, attackers can more easily convince users to install ransomware payloads or disclose sensitive information, granting criminals a foothold in an organization’s environment.
This article explores the technical mechanisms behind these attacks, their potential impact, and the security measures that organizations can put in place to defend themselves.

Targeting Microsoft Teams for Social Engineering

Microsoft Teams serves as a central hub for chat, video conferencing, and file sharing in many modern workplaces. Its popularity makes it an attractive target for cybercriminals who rely heavily on social engineering. Employees often assume that communication channels within Teams are automatically safe. Threat actors take advantage of this perception by creating accounts or taking over existing ones, renaming them to “IT Support,” “Help Desk,” or “Security.” They then send direct messages to employees with requests to install “updates” or “patches,” which are in fact malicious files or links.

Typically, attackers gain access to Microsoft 365 (M365) or Azure Active Directory credentials by buying them from underground marketplaces, using password-spraying attacks, or leveraging vulnerabilities. Once an attacker has valid credentials, they can create or rename a user in Teams and initiate chats with employees. If a user downloads and opens any malicious files sent via these chats, the attacker can deploy ransomware or other forms of malware to compromise the organization’s network.
Microsoft: Phishing Attacks Using Microsoft 365
CISA Insights on Phishing Tactics

Ransomware Deployment Strategies

Once a user interacts with a malicious link or attachment, attackers generally follow a multi-stage process:
First, the payload—whether delivered as an executable, a script-based dropper, or a macro-embedded Office document—runs on the employee’s device. This often grants the attacker an initial foothold. From there, they aim to escalate privileges, seeking domain administrator accounts or other high-level credentials. Lateral movement might involve scanning the network for critical servers or backup systems, using command-line utilities like PowerShell to maintain stealth.
Before encrypting files, many attackers exfiltrate sensitive data, employing “double extortion” tactics to pressure victims into paying. Ransomware such as LockBit, BlackCat, and Royal can appear in these campaigns, although the specific variant can change frequently as threat actors tailor payloads to avoid detection.
MITRE ATT&CK: Ransomware
CISA Ransomware Guide

Indicators of Compromise (IoCs)

Detecting ongoing Teams-based ransomware attacks can be challenging, as the initial communication appears to come from a legitimate internal user. Nonetheless, certain warning signs can alert security teams to possible compromise. Unusual logins—especially from unknown regions—may indicate credential theft. Newly created Teams users or display names that mimic IT staff, particularly if they appear suddenly or inconsistently, are cause for scrutiny.

If employees report receiving direct messages with urgent calls to action, such as installing “critical patches” or “validating accounts,” especially when no official IT policy has been announced, this should trigger an immediate security review. Monitoring logs for unexpected file transfers, spikes in network usage, or abnormal sign-in activity can also help identify attacks in progress.
Additional references regarding suspicious activity detection:
Microsoft 365 Threat Hunting Guidance
SANS Institute: Detecting Advanced Persistence

Consequences and Impact on Organizations

Organizations hit by ransomware face a range of consequences, from immediate operational disruption to long-term reputational damage. Encrypted servers and databases can halt critical processes, crippling productivity and revenue generation. In some cases, victim organizations opt to pay ransoms in the hope of quickly restoring operations, but there is no guarantee of a full recovery—even after payment.

Meanwhile, data exfiltration can expose proprietary information, customer records, or personal data, raising the spectre of regulatory fines under frameworks like GDPR, HIPAA, or CCPA. Additionally, the erosion of trust among partners, investors, and clients can take a toll on the organization’s public image. Managing these cascading effects often involves incident response teams, legal counsel, insurance providers, and public relations specialists, which can all add to the financial strain.
For insights into the legal and financial implications of ransomware breaches, consult:
Ponemon Institute Cost of Data Breach Report
ENISA Threat Landscape

Defensive Measures and Best Practices

To mitigate the risks posed by Teams-based ransomware attacks, organizations should consider a multi-layered security approach that addresses identity management, threat detection, and user awareness.

Enforcing multi-factor authentication (MFA) across all Microsoft 365 accounts is an essential step. This makes it significantly harder for attackers to leverage compromised credentials. Coupling MFA with conditional access policies—like restricting logins to company-managed devices or certain geolocations—can further limit the attacker’s ability to move freely within the environment.

Close governance of Microsoft Teams is also critical. Administrators should disable or limit guest accounts if not required for business operations and regularly audit who has the ability to create new teams or channels. Monitoring Teams activity—such as file sharing and user renaming—helps detect suspicious or anomalous behaviour early in the attack cycle.

Beyond technical controls, security awareness training is vital. Users should be taught to question unexpected messages, even within internal channels, and to validate urgent requests for software updates with known IT representatives or via officially sanctioned communication channels. Regular phishing simulations that incorporate Teams scenarios, rather than email alone, can foster employee vigilance.

In the event of an intrusion, a robust incident response plan can reduce the time to detection and containment. This plan should include workflows for isolating impacted systems, investigating compromised accounts, and restoring services from clean backups. Maintaining encrypted, offline backups on a separate network segment or storage system is often the most reliable way to recover data without paying a ransom.
For official Microsoft guidance on Teams security, refer to:
Microsoft Teams Security and Compliance Overview
Microsoft 365 Incident Response Documentation

Final Thoughts

By impersonating IT support teams on Microsoft Teams, ransomware operators have uncovered yet another way to bypass the scepticisms that often accompanies unsolicited emails. Their exploitation of trusted internal channels is a reminder that no communication platform—no matter how reputable—can be considered intrinsically safe.
Staying ahead of these threats demands comprehensive security strategies that unite technical tools with user awareness. Strong authentication, continuous monitoring, and an informed workforce remain the best defences against increasingly sophisticated social engineering and ransomware campaigns. Adopting these practices empowers organizations to protect vital systems and data, ensuring that collaboration platforms can remain a force for productivity rather than a point of vulnerability.

Stay safe, stay ahead.