Microsoft has flagged a surge in attackers impersonating helpdesk staff through Teams to infiltrate enterprise networks. Threat actors are leveraging the platform's legitimacy to gain initial access and move laterally within organizations.
Microsoft security researchers have identified a growing trend of threat actors abusing Microsoft Teams for social engineering attacks targeting enterprise users.
Attackers are impersonating helpdesk or IT support staff in Teams conversations to trick employees into granting access credentials or executing malicious actions. The tactic exploits the platform's widespread use in corporate environments, where Teams appears as a trusted internal communication channel.
Once initial access is established, threat actors use Teams and other legitimate tools already present on compromised networks to move laterally and expand their foothold. This approach reduces detection risk compared to deploying custom malware.
The attacks typically begin with external Teams messages appearing to come from internal support roles. Victims are directed to authenticate through phishing links, share credentials, or run scripts for supposed security updates or account verification.
Microsoft recommends organizations implement multi-factor authentication across all accounts, restrict Teams external communications where possible, and train employees to verify support requests through secondary channels before responding to sensitive requests.
The advisory reflects broader challenges with Teams security as the platform's adoption has grown. Previous reports have documented Teams abuse in phishing campaigns, credential theft, and data exfiltration attempts.
Companies should review Teams policies to limit external collaboration, monitor for suspicious support-related conversations, and establish clear verification procedures for IT requests. Security teams should also track Teams activity logs for anomalous patterns indicating compromised accounts.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.