Emerging Threats

Threat Actors Exploit Microsoft Teams for Phishing Attacks

Analyst 207||Source: Unit42
Threat Actors Exploit Microsoft Teams for Phishing Attacks

Phishing alerts from collaboration tools represented 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% in the preceding four months.

How attackers are moving from email into Microsoft Teams

Unit 42 documents a shift: threat actors are exploiting trusted collaboration platforms to conduct phishing and social engineering that look unlike traditional email attacks. Messages introduced through Microsoft Teams can arrive directly in an employee’s feed, mimic internal IT support, and carry visual familiarity that lowers user suspicion. The report reproduces a typical bait: “Hi, this is the IT Department. We see an issue with your account,” sent from what appears to be an IT technician and requesting approval of an MFA prompt — a short, plausible interaction that can enable account takeover.

Confirmed cases: Cloaked Ursa and UNC6692

Unit 42 cites recent, concrete examples. Cloaked Ursa — also named APT29, Cozy Bear and Midnight Blizzard — operationalized Teams-based lures in late 2024 by using compromised accounts to send Teams links that led to credential-harvesting pages mimicking Microsoft login portals. In December 2025, Mandiant tracked a separate group, UNC6692, that used MS Teams to impersonate IT helpdesk staff and convinced employees to accept chat invitations from accounts outside their organization. Those incidents demonstrate two modes: abuse of compromised internal accounts and impersonation from external or typosquatted tenants.

Exactly how attackers disguise themselves inside Teams

Unit 42 describes several techniques adversaries use to appear legitimate inside Teams: typosquatted domains that resemble vendors or internal naming conventions; Microsoft 365 tenants deliberately named to mimic IT, security teams, or managed service providers; and operation from tenants with no prior affiliation to the target. Because many organizations leave Teams federation enabled by default, external tenants can reach users unless policy restrictions are in place. In more advanced intrusions, attackers bypass impersonation entirely by compromising service-provider or partner accounts and leveraging those pre-existing trust relationships.

Configuration levers defenders can use

The report stresses that Teams is not inherently insecure; rather, permissive external-communication settings and user trust create opportunity. Unit 42 points to two Microsoft configuration controls:

  • The unmanaged-account control: “External users with MS Teams accounts not managed by an organization can contact users in my organization.” If business cases allow, disabling this prevents personal or unmanaged accounts from initiating chats. The parent control, “People in my organization can communicate with unmanaged MS Teams accounts,” can be toggled off to fully block unmanaged accounts.
  • The federation control: many tenants leave federation open to any external domain. A more restrictive posture is “Allow only specific external domains,” with an allow-list of domains the organization typically communicates with.

Unit 42 also links Teams hardening to broader identity protections: Conditional Access policies to require stronger verification for high-risk actions, and just-in-time privileged access via Entra Privileged Identity Management to reduce the impact of a single compromised account. Microsoft guidance on cross-tenant intrusions and Teams protections is cited for further detail.

Monitoring, response, and user reporting

Operational defenses include treating external chat initiation as an investigative event — especially when coming from unseen or typosquatted domains or when followed by authentication anomalies or device registration events. Administrators can remove malicious chats from users’ views to limit follow-on interactions, and organizations with appropriate Microsoft licensing can enable an in-chat reporting function so users can report suspicious Teams messages similarly to email “Report Phishing.” The report argues: “As defenders, we must shift the burden away from the user and prevent as many of these malicious chat requests from reaching the user in the first place.”

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Review and tighten federation and unmanaged-account settings, implement Conditional Access and just-in-time privileged roles, and add monitoring alerts for external chat initiation and related authentication anomalies.
  • Procurement and IT leaders: Balance business cases for open federation against the increased attack surface, and consider licensing features that allow users to report suspicious Teams messages and permit admins to remove malicious chats.
  • End users and help desks: Update phishing training to include Teams scenarios — unsolicited “IT support” outreach, requests to approve MFA prompts, and instructions to reset credentials — and validate unexpected requests through separate channels such as a help desk number or ticketing system.

Unit 42’s conclusion is direct: attackers will use open external chat. Tightening external-chat controls and reinforcing identity-centric protections reduce the attack surface, but doing so requires explicit policy decisions and a shift in user training. The central question organizations now face is operational and procedural: which external-communication settings can they restrict without harming legitimate collaboration?

https://unit42.paloaltonetworks.com/microsoft-teams-phishing/

Emerging ThreatsPhishingSocial EngineeringThreat ActorsMfa BypassMicrosoft TeamsCollaboration Tools
Related Intelligence

Continue Reading

Developer workstation with laptop and blurred terminal screen, highlighting supply chain security concerns.

PyPI Packages Poisoned in Hades Supply Chain Attack

Malicious actors have launched a supply-chain attack on the Python Package Index (PyPI), infecting 19 packages with 37 tainted versions that can download and execute a hidden JavaScript payload. This sneaky Hades campaign uses poisoned Python packages to spread its reach, putting developers and users at risk.

Analyst 207
Laptop screen on a minimalist desk with a blurred display and a subtle bug icon in the background.

Google Patches Chrome Zero-Day Flaw Exploited in the Wild

Google just dropped an emergency update for Chrome, fixing a whopping 74 vulnerabilities, including a zero-day flaw that's been exploited by hackers in the wild. A security researcher scored a $55,000 reward for reporting the bug, now patched in the latest Chrome update.

Analyst 207
Government office workstation with blurred computer screen and muted decor.

French Govt Messaging Service Breached in Account Hijacking Attack

France's digital affairs directorate swiftly sprang into action, blocking a compromised account that was used to hijack a government messaging service, and is now conducting a thorough investigation to assess the damage. The breach was detected by the French Cybersecurity Agency, allowing authorities to shut down the attacker's access and analyze what data was exposed.

Analyst 207
Laptop in office setting with remote access VPN connection setup, hinting at security vulnerability.

Check Point Discloses Zero-Day Auth Bypass Bug Under Active Exploitation

A critical authentication flaw, CVE-2026-50751, has been discovered in Check Point's Remote Access VPN and Mobile Access solutions, allowing attackers to bypass user authentication and establish a remote access VPN connection without a valid password. This severe vulnerability, scoring 9.3 on the CVSS scale, affects deployments using the outdated IKEv1 key exchange protocol.

Analyst 207