A coordinated wave of Microsoft Teams phishing campaigns is targeting enterprise employees in 2026, with threat actors impersonating IT helpdesk staff to hijack devices, exfiltrate sensitive data, and deploy ransomware, all without exploiting a single software vulnerability.
Since early 2026, a cybersecurity firm has documented a sharp rise in Microsoft Teams-based social engineering attacks where threat actors pose as internal IT Support and Helpdesk personnel to manipulate employees into granting remote desktop access.
Unlike traditional phishing, these intrusions abuse legitimate collaboration workflows, exploiting user trust rather than software flaws, making them significantly harder to detect and block.
Microsoft’s own April 2026 advisory confirmed the technique, calling it “cross-tenant helpdesk impersonation,” a nine-stage attack chain that begins with a single Teams message and ends with full network compromise.
Microsoft Teams Phishing Attack
The attack follows a now-documented pattern that begins before Teams is ever opened. Threat actors first launch email bombing campaigns, flooding a victim’s inbox with thousands of spam messages to create panic and urgency.
Overwhelmed and distracted, the victim receives a Microsoft Teams message from what appears to be an internal IT support contact offering to “resolve” the flooding issue.
The attacker operating from an external tenant uses freshly created, IT-themed domains such as itprotectiondepartment[.]onmicrosoft[.]com or disposable .top TLD sender domains to appear legitimate.
Increasingly, threat actors are pairing realistic English full-name personas (e.g., michaelturner@ or danielfoster@) with IT-themed tenant names, rather than generic accounts like helpdesk@ or admin@, to boost perceived credibility.
Once the victim engages, they are coached to launch Quick Assist or AnyDesk, legitimate remote monitoring and management (RMM) tools, which hand the attacker direct keyboard control of their device.
Once remote access is established, attackers move swiftly. Observed multiple intrusion cases in which threat actors downloaded portable versions of WinSCP directly from its official website and used them to exfiltrate data from compromised hosts.
In a separate incident, Quick Assist was used to deliver a malicious ZIP archive Email-Deployment-Process-System.zip containing a Java binary that executed a rogue application, followed immediately by data exfiltration.
Microsoft documented a similar post-access sequence, noting that attackers conduct rapid reconnaissance using Command Prompt and PowerShell, enumerate domain memberships, and then move laterally across the enterprise network using Windows Remote Management (WinRM), all while blending into routine IT support activity.
Follow-on payloads have included information stealers, backdoors, and ransomware, with some activity linked to Black Basta ransomware operators.
Multiple advanced threat groups have adopted this technique. Scattered Spider, known for SIM-swapping and social engineering campaigns against major enterprises, has integrated email bombing and Teams impersonation into its playbook.
UNC6692, tracked by Google’s Mandiant, targeted predominantly senior employees between March and April 2026, deploying a custom modular malware suite via Teams phishing, including an AutoHotkey-based loader, a malicious browser extension, and data exfiltration to attacker-controlled AWS S3 buckets.
eSentire’s analysis of attacker infrastructure reveals a coordinated, purpose-built operation. Malicious Teams messages predominantly originate from bulletproof hosting providers, including NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD.
Single IP addresses have been observed targeting multiple organizations simultaneously, confirming this is a scaled, infrastructure-backed operation rather than an opportunistic activity. Documented attacker source IPs include 45[.]8[.]157[.]185, 94[.]131[.]111[.]162, 178[.]130[.]47[.]35, and 103[.]242[.]75[.]40, among others.
| Type | Indicator |
|---|---|
| Attacker IPs | 45[.]8[.]157[.]185, 94[.]131[.]111[.]162, 178[.]130[.]47[.]35, 103[.]242[.]75[.]40, 2[.]58[.]14[.]254, 5[.]8[.]18[.]80, 139[.]28[.]219[.]30, 80[.]66[.]72[.]215 |
| Sender Address | helpdesk@dpf[.]edu[.]lk |
| .top Domains | system-clean[.]top, helpdock[.]top, scanseq[.]top, serviceprohub[.]top |
| Tenant Domains | winncompaniesit[.]onmicrosoft[.]com, itprotectiondepartment[.]onmicrosoft[.]com, infratechopsdesk[.]onmicrosoft[.]com |
Mitigation
Organizations must treat Microsoft Teams external access as a potential attack vector and apply strict controls:
- Restrict external Teams communications unless required for business operations; where needed, allowlist only trusted partner tenants
- Block or restrict RMM tools – Quick Assist, AnyDesk, ConnectWise via policy unless explicitly required by IT teams
- Block file transfer utilities – WinSCP, RClone, FileZilla, MegaSync at the endpoint level
- Ingest Office 365 Audit Logs into your SIEM for behavioral correlation across identity, endpoint, and collaboration telemetry
- Implement User Awareness Training to help employees recognize IT impersonation lures, and create a secondary verification channel, such as calling the official helpdesk number or submitting an internal ticket, before granting any remote access.
- Enable external sender notifications in Teams collaboration policies so users are clearly alerted when interacting with outside parties.
Microsoft Teams itself includes visible protections, such as external tenant labels, Accept/Block prompts, and Safe Links, but these only work when users actively heed them.
FAQ
Q1: How do Microsoft Teams IT impersonation attacks start?
They begin with email bombing to overwhelm victims, followed by a Teams message from a fake IT support account offering help.
Q2: Is this a vulnerability in Microsoft Teams itself?
No attackers exploit legitimate external collaboration features and user trust, not any software flaw in Teams.
Q3: Which threat groups are behind these Microsoft Teams phishing campaigns?
Groups including Scattered Spider, UNC6692, and Payouts King have all been observed using this tactic in 2025–2026.
Q4: What tools should organizations block to prevent post-access damage?
Organizations should restrict RMM tools such as Quick Assist and AnyDesk, and file transfer utilities such as WinSCP and RClone, unless operationally required.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
