Microsoft Teams: New Report Exposes How APTs and Ransomware Groups Weaponize Collaboration Features to Breach Enterprises
The Microsoft Teams messenger, widely used for corporate communication, has increasingly become a convenient arena for cyberattacks. According to the Microsoft Threat Intelligence team, malicious actors are actively exploiting the platform for a broad range of purposes — from intelligence gathering and social engineering to malware distribution and data theft.
Teams attracts both financially motivated threat groups and state-sponsored attackers, owing to its susceptibility across every phase of an attack. Microsoft urges administrators to strengthen defenses not only at the levels of identity and endpoints, but also through rigorous controls within applications and network infrastructure.
At the reconnaissance stage, attackers probe for poorly secured accounts, groups, and tenants. When privacy mode is disabled, they can extract user status information and even attempt to join external meetings. Additionally, open-source tools allow them to filter and structure the collected data — making external participants, guests, and anonymous users especially vulnerable.
During the preparation phase, cybercriminals employ social engineering tactics, creating fake accounts and replicating corporate branding to convincingly impersonate support staff or administrators. In some cases, they even purchase legitimate tenants if the operation promises sufficient profit. Attack channels range from text chats to voice calls, often accompanied by plausible pretexts and carefully crafted narratives.
Particularly dangerous are instances where malware is distributed via Teams, capable of stealing credentials or deploying ransomware. A common ruse involves fake tech support agents urging users to install remote access tools such as AnyDesk. In some scenarios, chat messages include links leading to malicious websites or counterfeit Teams download pages. Attackers also employ specialized utilities like TeamsPhisher or AADInternals to deliver payloads directly.
Some adversaries add guest accounts, plant shortcuts in startup folders, or abuse the Sticky Keys accessibility feature to maintain persistence even after detection. Administrators remain prime targets due to their elevated privileges and access to powerful tools, yet ordinary users are equally at risk — a single click on a malicious link or file is often enough to compromise a system.
Once access is achieved, the focus shifts to data exfiltration. Attackers exploit available tools to intercept tokens, bypass multi-factor authentication, and analyze API responses to map the Teams environment and identify potential avenues for lateral movement. With knowledge of roles, groups, and connected devices, they can spread across the network — including by leveraging compromised accounts to impersonate legitimate employees from partner organizations.
In some cases, attackers deceive victims into establishing remote sessions and granting system access. They have also been observed switching to OneDrive or SharePoint storage to extract data linked to compromised credentials.
Teams has even been used as a command-and-control channel, with instructions transmitted directly through chat messages or embedded payloads. In extreme cases, ransom demands were sent straight through corporate chats — as seen with the Octo Tempest group, which used threats and taunting messages to intensify pressure on victims.
While Teams is far from the only platform subject to such exploitation, Microsoft stresses the importance of a comprehensive security strategy — including tighter access controls, continuous activity monitoring, and robust content filtering — to defend against this evolving threat landscape.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
