Microsoft Teams Phishing Attacks: What Every Business Owner Needs to Know in 2026

Microsoft Teams has become one of the most trusted tools in the modern workplace. Employees use it every day to chat with coworkers, join meetings, and share files — and that trust is exactly what cybercriminals are now exploiting.

Over the past year, security researchers have documented a sharp rise in Microsoft Teams phishing attacks that use the platform itself as the attack vector. These are not the clumsy, typo-ridden scam emails your spam filter catches. These are sophisticated, targeted attacks that are fooling employees at organizations of all sizes — and in many cases, they lead directly to ransomware deployment and data breaches.

If your business uses Microsoft Teams, you need to understand how these attacks work — and what you can do to stop them.

Here is what is happening, how these attacks unfold step by step, and what your business can do to stay protected.

How Microsoft Teams Phishing Attacks Work: The Step-by-Step Playbook

Step 1: The Unsolicited 'IT Support' Message

Attackers are now creating fraudulent Microsoft 365 tenants and exploiting a default Teams configuration that allows users on external domains to initiate chats or meetings with your employees. In plain language: a stranger posing as your IT department can message or even call your staff directly through Teams, and it looks completely legitimate on the surface.

A recent case from November 2025 illustrates how this works. Researchers at CyberProof documented an attacker who used Microsoft Teams' 'Chat with Anyone' feature — which lets external users send direct messages via email — to contact employees posing as IT support. The attacker then initiated a Teams call and tricked the employee into accessing a phishing URL to download Quick Assist, a built-in Windows remote access tool.

Step 2: Urgency Takes Over

The attacker typically claims there is an urgent security issue — a virus detected on your machine, a compromised account, or a compliance flag that requires immediate action. Employees, not wanting to ignore what appears to be a legitimate internal IT alert, comply without verifying.

The goal of this social engineering tactic is to manufacture a sense of urgency that short-circuits your employees' critical thinking. This is not a flaw in your team's intelligence — it is a calculated psychological exploit.

Step 3: Remote Access Is Granted and the Attack Escalates

Once remote access is established, the attacker has everything they need. In a confirmed July 2025 case documented by security firm Morphisec, threat actors used a Teams call to walk an employee through executing a script that deployed the Matanbuchus Loader — a sophisticated piece of malware that gave attackers persistent control of the machine.

From that foothold, attackers typically move to steal credentials, escalate privileges across the network, and either exfiltrate sensitive data or deploy ransomware.

Why Microsoft Teams Is Such an Effective Phishing Vector

Email phishing has been around long enough that most employees have developed at least some skepticism. Microsoft Teams is different — and attackers know it.

When a message arrives in Teams, employees assume it has been filtered, authenticated, and verified. There is a psychological safety net that does not exist with email. The platform's familiar interface, combined with features designed for external collaboration, creates an opening that cybercriminals are actively weaponizing.

Security researchers at Check Point found that vulnerabilities in Teams allowed malicious bots to craft messages that appeared to come from trusted colleagues — meaning even tech-savvy employees could be fooled. While Microsoft has since patched those specific vulnerabilities, the broader principle remains: Teams is a high-trust environment that attackers are determined to exploit.

Microsoft Threat Intelligence has confirmed it is actively tracking and responding to the abuse of the Teams platform in phishing campaigns, and has taken action against confirmed malicious tenants by blocking their ability to send messages.

Who Is Behind Microsoft Teams Phishing Attacks?

These are not random opportunists. Multiple organized threat groups have been documented running Teams-based phishing campaigns:

• STAC5777 / Storm-1811 —  This group has been running Teams-based voice phishing (vishing) attacks since at least May 2024. Microsoft tracks them under the name Storm-1811. Their playbook involves creating fraudulent Microsoft 365 tenants and calling employees directly over Teams to phish for credentials.
• Midnight Blizzard (Russian state-sponsored) —  A Russian state-sponsored group that launched coordinated phishing campaigns via Teams using compromised Microsoft 365 accounts impersonating legitimate IT support organizations. Their goal was credential theft targeting government and enterprise environments.
• Storm-0324 —  A criminal access broker observed sending phishing lures through Teams containing links to malicious SharePoint-hosted files. Their goal is to gain initial network access, which they then sell to ransomware operators.

The fact that both nation-state actors and ransomware groups are using the same tactic should underscore how effective — and how dangerous — it has become.

What Can Happen After a Successful Teams Phishing Attack

The initial Teams phishing message is only step one. Once attackers have a foothold inside your environment, consequences escalate rapidly:

• Credential theft — Usernames and passwords stolen and used to access email accounts, banking portals, and cloud applications
• Ransomware deployment — Entire networks encrypted, with demands for payment to restore access — often reaching six or seven figures for small and mid-sized businesses
• Data exfiltration — Customer records, financial data, and intellectual property exfiltrated before encryption, creating regulatory and legal liability
• Multi-factor authentication (MFA) bypass — Attackers bypass MFA by repeatedly generating authentication prompts until an employee approves one by mistake, or by adding attacker-controlled phone numbers to MFA settings
• Lateral movement and privilege escalation — Attackers use the initial breach to move laterally through your network, compromising additional systems and accounts before detection

For a small or mid-sized business, any one of these outcomes can be operationally and financially devastating.

5 Steps to Protect Your Business from Microsoft Teams Phishing Attacks

1. Restrict External Teams Access

Review your Microsoft 365 Teams settings and restrict or disable the ability for external users to initiate chats or calls with your employees. If your team does not have a legitimate business reason to receive unsolicited Teams messages from strangers, turn this feature off or limit it to verified partner organizations only.

2. Lock Down Remote Access Tools

Remote access applications such as Quick Assist, AnyDesk, and TeamViewer should never be installed or activated based on a request from an unknown caller — even one who appears to be in Teams. Establish a clear company policy: your IT team will never ask an employee to download or activate remote access software without a pre-existing support ticket and direct verification.

3. Train Employees to Verify Before They React

Attackers count on urgency overriding judgment. Employees should know exactly who their real IT support team is, what verification procedures look like, and that a legitimate IT department will never pressure them to act immediately or bypass normal steps. Security awareness training should include simulated Teams phishing scenarios — not just email phishing simulations.

4. Enforce Phishing-Resistant Multi-Factor Authentication

Standard SMS-based MFA is no longer sufficient against these attacks. Microsoft and cybersecurity experts recommend implementing phishing-resistant MFA solutions such as FIDO2 security keys or passkeys. Additionally, configure Conditional Access policies in Microsoft Entra ID to enforce authentication strength requirements for sensitive actions including device registration.

5. Partner with a Managed Security Provider

These attacks move fast. By the time an employee realizes something is wrong, the attacker may already have lateral access to multiple systems. A managed security partner monitors your Microsoft 365 environment around the clock — watching for the early warning signs of a Teams-based intrusion before damage occurs. Real-time detection and response is the difference between a contained incident and a full-scale breach.

Frequently Asked Questions: Microsoft Teams Phishing

Can Microsoft Teams be used for phishing?

Yes. Attackers are actively using Microsoft Teams to impersonate IT support staff, send malicious links, and trick employees into granting remote access to their computers. Both external attackers (using fraudulent Microsoft 365 tenants) and compromised insider accounts have been used in documented campaigns.

How do I know if a Teams message is a phishing attempt?

Key warning signs include: unsolicited contact from someone claiming to be IT support, requests to install software or grant remote access, a sense of urgency or pressure to act immediately, and requests to click links or download files outside of normal workflows. Always verify through a separate, known channel — such as calling your IT help desk directly — before taking any action.

What should I do if I think I've been phished through Teams?

Disconnect from the internet immediately to prevent lateral movement. Contact your IT team or managed security provider right away. Do not attempt to remediate on your own. The faster you report it, the greater the chance of containing the damage before ransomware deploys or credentials are used.

Is Microsoft Teams safe for business use?

Microsoft Teams is a legitimate and valuable business tool with strong security features available. However, like any widely used platform, it can be abused by attackers. The key is configuring it securely — including restricting external access, enforcing MFA, and training employees — rather than assuming the platform's security covers all threat vectors.

The Bottom Line

Microsoft Teams is not going away — and neither are the attackers targeting it. The businesses most at risk are those that assume their email security covers everything, and have not thought carefully about threats that arrive through a chat window or a call.

If your organization uses Microsoft 365 and Teams, now is the time to review your external access settings, update your employee security training, and ensure you have a security partner monitoring your environment in real time.

Have questions about securing your Microsoft 365 environment? Contact us today for a free security assessment. We will review your current Teams configuration, identify exposure points, and walk you through practical steps to close the gaps — at no cost and no obligation.

‍