Microsoft Warns: Threat Actors Turn Microsoft Teams into a Weapon for Ransomware, Espionage, and Social Engineering
Ddos 
Image: Microsoft
Microsoft Threat Intelligence has released an extensive report detailing how both cybercriminals and state-sponsored actors are weaponizing Microsoft Teams, exploiting its collaboration features — messaging, meetings, file sharing, and external federation — to breach enterprise environments and sustain long-term access.
As Microsoft writes, “The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging, calls and meetings, and video-based screen-sharing – at different points along the attack chain.”
The report underscores that even as Teams has become an indispensable platform for remote work, it has also evolved into a convenient attack vector—a trusted entry point where adversaries blend into legitimate communication flows.
Every Teams account is backed by Microsoft Entra ID, and attackers exploit this tight integration to perform reconnaissance. Using open-source enumeration tools like TeamsEnum, TeamFiltration, and ROADtools, adversaries can map users, channels, and tenant configurations by abusing the Microsoft Graph API.
Microsoft explains that “from an API perspective, Teams is an object type that can be queried and stored in a local database for reconnaissance by enumerating directory objects, and mapping relationships and privileges.”
Such reconnaissance enables adversaries to determine whether a tenant allows external communication, identify active users through “presence” data, and assess whether privacy settings are disabled. This intelligence is often used for target selection and pretext crafting, especially when impersonating trusted IT or administrative personnel.
Once reconnaissance is complete, sophisticated adversaries establish malicious Microsoft Entra ID tenants or hijack weakly configured legitimate ones to stage operations.
Microsoft notes, “Threat actors try to compromise weakly configured legitimate tenants, or even actually purchase legitimate ones if they have confidence they could ultimately profit.”
To appear credible, these actors often register custom domains and apply corporate branding—mirroring legitimate organizations or internal IT departments. These counterfeit tenants are then used to host phishing campaigns, social engineering operations, and malware distribution through Teams chat invitations or meeting links.
The report highlights how tech support scams and Teams-based phishing have become common tactics for initial access. In several cases, adversaries flooded victims’ inboxes with spam before initiating a Teams call posing as IT support, claiming they could fix the issue remotely.
One notable campaign, Storm-1811, impersonated technical support to trick users into executing malicious Remote Monitoring and Management (RMM) tools. “In 2024, for instance, Storm-1811 impersonated tech support, claiming to be addressing junk email issues that it had initiated. They used RMM tools to deliver the ReedBed malware loader of ransomware payloads and remote command execution.”
Another case, Midnight Blizzard, a Russia-linked group, successfully impersonated security and IT teams to convince victims to enter authentication codes—completing multi-factor authentication (MFA) flows on the attackers’ behalf.
Even ransomware affiliates are exploiting Teams. Microsoft cites 3AM ransomware operators adopting vishing and Teams impersonation tactics to gain remote access under the guise of stopping spam attacks, with threat actors even spoofing legitimate IT phone numbers.
Once inside, attackers use guest accounts, malicious tokens, and device code abuse to maintain persistence. Microsoft observed that “Storm-2372 had been capturing authentication tokens by exploiting device code authentication flows, partially by masquerading as Microsoft Teams meeting invitations.”
This allowed attackers to steal session tokens and sustain access even after password resets or MFA enforcement. Similarly, financially motivated actors like Storm-0324 leveraged the TeamsPhisher tool to deliver JSSLoader malware to ransomware groups such as Sangria Tempest, maintaining long-term footholds in enterprise environments.
Threat actors increasingly exploit Teams admin roles for privilege escalation. If an attacker compromises an account with administrative permissions, they can change Teams policies, register devices, or alter identity federation settings to escalate privileges.
Microsoft warns, “If threat actors successfully compromise accounts or register actor-controlled devices, they often try to change permission groups to escalate privileges. If a threat actor successfully compromises a Teams admin role, this could lead to abuse of the permissions to use the admin tools that belong to that role.”
The financially motivated Octo Tempest group has been particularly aggressive, using social engineering and Teams-based communication to trick help desk personnel into granting MFA resets or federating new domains, thereby hijacking organizational identity flows.
Once entrenched, attackers use tools like AADInternals and AzureHound to enumerate Teams configurations, discover privileged users, and pivot laterally.
State-sponsored actors such as Peach Sandstorm have used malicious ZIP payloads shared via Teams to deploy reconnaissance tools like AD Explorer to capture snapshots of Active Directory databases.
Similarly, Void Blizzard, a Russia-affiliated espionage group, has been observed enumerating compromised organizations’ Entra ID configurations and extracting Teams chat histories to inform further targeting efforts.
In one of the more advanced developments, red-team tools such as Brute Ratel C4 (BRc4) and ConvoC2 have incorporated features to establish command-and-control (C2) channels through Teams messaging protocols.
Microsoft notes, “A cracked version of Brute Ratel C4 (BRc4) includes features to establish C2 channels with platforms like Microsoft Teams by using their communications protocols to send and receive commands and data.”
This technique allows adversaries to send commands embedded in Teams messages—blending in seamlessly with legitimate collaboration traffic—and even exfiltrate data via webhooks or Adaptive Cards.
The final stage of these attacks often involves data theft, extortion, or ransomware deployment. Threat actors leverage Teams not just for infiltration but also for psychological pressure, using compromised channels to taunt victims or contact executives.
Microsoft highlights that Octo Tempest—a financially motivated group linked to several high-profile ransomware cases—has “used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics.”
Related Posts:
- CVE-2025-55241: Microsoft Entra ID Flaw with CVSS 10.0 Could Have Compromised Every Tenant Worldwide
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- Stealthy Persistence: Microsoft Entra ID’s Administrative Units Weaponized
- Hijacking the Cloud: How a Misconfigured App Can Become a Global Admin in Entra ID
- Detecting Lateral Movement Risks in Microsoft Entra ID’s Cross-Tenant Synchronization Feature
Donate