Ethical Hacking News
Cybersecurity researchers have sounded the alarm about a growing trend of threat actors leveraging Microsoft Teams for phishing campaigns. This latest development marks a significant escalation in the platform's role as a vector for malware deployment, highlighting the need for organizations to remain vigilant and proactive in addressing this growing concern.
Threat actors are using Microsoft Teams for phishing campaigns to bypass traditional email defenses. Microsoft Teams phishing campaigns aim to install remote access software and seize control of victim systems to deliver malware. The tactics used in these campaigns blend into everyday corporate communication, making them less likely to trigger suspicion. Organizations must monitor audit logs, enrich signals with contextual data, and train users to spot IT/help desk impersonations to mitigate the risk. A new malvertising campaign combines legitimate links with ADFS to redirect users to Microsoft 365 phishing pages, making URL-based detections challenging.
Cybersecurity researchers have sounded the alarm about a growing trend of threat actors leveraging Microsoft Teams for phishing campaigns, marking a significant escalation in the platform's role as a vector for malware deployment. This latest development serves as a stark reminder that even the most trusted and deeply embedded tools can be exploited by malicious actors seeking to breach enterprise systems.
In recent months, multiple reports have surfaced detailing how threat actors are using Microsoft Teams to send direct messages or initiate calls to targets, impersonating IT help desk teams or other trusted contacts. The goal is to install remote access software, such as AnyDesk, DWAgent, or Quick Assist, and seize control of victim systems to deliver malware.
The tactics used in these campaigns are tailored to appear routine and unremarkable, typically framed as IT assistance related to Teams performance, system maintenance, or general technical support. These scenarios are designed to blend into the background of everyday corporate communication, making them less likely to trigger suspicion.
Experts warn that Microsoft Teams phishing has become an active and evolving threat that bypasses traditional email defenses and exploits trust in collaboration tools. To mitigate this risk, organizations should monitor audit logs like ChatCreated and MessageSent, enriching signals with contextual data, and train users to spot IT/help desk impersonations.
SOC teams can close this new gap before it's exploited by staying vigilant and proactive. Moreover, the discovery of a novel malvertising campaign that combines legitimate office[.]com links with Active Directory Federation Services (ADFS) to redirect users to Microsoft 365 phishing pages has added fuel to the fire.
The attack chain begins when a victim clicks on a rogue sponsored link on search engine results pages, triggering a redirect chain that ultimately leads them to a fake login page mimicking Microsoft. The attacker had set up a custom Microsoft tenant with ADFS configured, which means Microsoft will perform the redirect to the custom malicious domain.
This development is concerning as it highlights the vulnerability of the system when attackers can add their own Microsoft ADFS server to host phishing pages and have Microsoft redirect to them. This will make URL-based detections even more challenging than they already are.
The recent findings from cybersecurity firms Hunters and Permiso detailing a malicious campaign that leveraged Microsoft Teams for initial access reflect this growing pattern of threat actors weaponizing the platform's trusted role in enterprise-focused communications for malware deployment.
While similar techniques involving remote access tools have been linked to ransomware groups like Black Basta since mid-2024, these newer campaigns go without the preliminary email bombing step and ultimately make use of the remote access to deliver a PowerShell payload with capabilities commonly associated with credential theft, persistence, and remote code execution.
The lures used to initiate engagement are tailored to appear routine and unremarkable, typically framed as IT assistance related to Teams performance, system maintenance, or general technical support. These scenarios are designed to blend into the background of everyday corporate communication, making them less likely to trigger suspicion.
Experts emphasize that Microsoft Teams phishing is no longer a fringe technique but an active threat that bypasses traditional email defenses and exploits trust in collaboration tools. By monitoring audit logs, enriching signals with contextual data, and training users to spot IT/help desk impersonations, SOC teams can close this new gap before it's exploited.
Moreover, the discovery of a novel malvertising campaign that combines legitimate office[.]com links with ADFS to redirect users to Microsoft 365 phishing pages has added fuel to the fire. This development serves as a stark reminder that even the most trusted and deeply embedded tools can be exploited by malicious actors seeking to breach enterprise systems.
Organizations must remain vigilant and proactive in addressing this growing concern. Implementing robust security measures, staying up-to-date with the latest threat intelligence, and educating users on how to spot phishing attempts can help mitigate the risks associated with Microsoft Teams phishing campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Threat-Actors-Leverage-Microsoft-Teams-for-Malicious-Phishing-Campaigns-A-Growing-Concern-ehn.shtml
https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html
Published: Sat Aug 30 08:53:50 2025 by llama3.2 3B Q4_K_M
