Beyond Email: Why Your Microsoft Teams Chat Is Now a Phishing Danger Zone

Security researchers at Hunters have published a new analysis revealing how attackers are increasingly abusing Microsoft Teams as an entry point for phishing, vishing, and malware delivery campaigns. By exploiting Teams’ default external collaboration features, adversaries are impersonating IT staff, launching voice phishing calls, sharing malicious files, and even bypassing Microsoft’s built-in warning banners.

The report stresses that Teams is no longer a niche or theoretical attack surface. “Microsoft Teams usage for initial access is not just a theoretical vector; it has been observed in the wild as part of various attacks and campaigns, with a significant spike noted over the past year.”

Hunters highlighted VEILDrive, a campaign disclosed in November 2024 that targeted a U.S. critical infrastructure company, as one of the first to showcase Teams abuse for initial access. Since then, the trend has accelerated, with adversaries frequently posing as fake IT or Help Desk staff to manipulate victims into engagement.

Key Attack Techniques

1. One-on-One Chat Phishing

Attackers create or compromise Teams tenants and send messages directly to users. The platform even makes external user discovery easy, as Hunters explains: “Microsoft Teams… simplifies the identification of external users through email address searches within the application (GUI or web). This allows for clear confirmation of user existence and the ability to receive messages from external tenants.”

Although Microsoft provides external sender warnings, attackers often leverage urgency or impersonation to bypass suspicion.

2. Voice Call Phishing (Vishing)

A worrying evolution is the use of Teams’ voice chat function. Hunters observed that “an external sender can, by default, call an organizational user without first sending a message… and no warning pop-up appears on the victim’s side.”

This lack of warning makes voice-based phishing an attractive vector for attackers, particularly when combined with impersonation tactics.

3. Screen Sharing & Remote Control

Teams’ collaboration features can be exploited to request screen sharing. While remote control is blocked by default, if an organization enables it, the attack surface expands dramatically.

4. Malware Delivery via SharePoint Links

Hunters demonstrated that adversaries can embed malicious file links by manipulating HTTP requests. “Even though incoming One-On-One chats shouldn’t include attached files by design… this option is available and not to ignore it.”

Because attachments are actually stored in SharePoint, attackers can modify them after sending, creating a persistent malware delivery channel.

5. Meetings as a Warning Bypass

Perhaps most concerning, Hunters found that Teams Meetings can bypass warning banners. “If a threat actor created an instant meeting and called the victim from this meeting… a text-based communication with the victim will be allowed from this point forward, without the warning banner.”

This flaw allows attackers to lure users into “legitimate” meeting chats that lack the normal red flags.

While Microsoft 365 generates audit logs for many Teams actions, significant blind spots remain. For example, incoming voice calls and screen-sharing events generate the same logs as standard chat messages, offering no clear way to distinguish them.

Hunters warns that defenders must carefully review ChatCreated and MessageSent artifacts, and monitor for suspicious domains such as onmicrosoft.com that attackers frequently use.

Microsoft Teams is now a frontline target for social engineering and malware campaigns. With attackers increasingly exploiting its default external communication settings, enterprises must urgently update detection strategies and educate users to prevent Teams from becoming the next dominant phishing vector.

Related Posts:

• Inside Hunters International Group: How a Retailer Became the Latest Ransomware Victim
• $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters
• Beware Fake Angry IP Scanner Ads: SharpRhino RAT Used by Hunters Group Lurks Within
• Voice Phishing on Microsoft Teams Facilitates DarkGate Malware Attack
• DeleFriend Vulnerability: Google Denies Design Flaw