Microsoft has issued a warning that cybercriminals are exploiting Microsoft Teams to steal data, deliver malware, impersonate trusted sources, and trick users into sharing sensitive information. The platform has become a high-value target for hackers and state-sponsored groups.
Experts from Microsoft Threat Intelligence report that Teams can be abused at nearly every stage of the attack chain, from reconnaissance to credential theft and extortion.
Attackers rely heavily on social engineering — creating fake profiles, buying legitimate domains, and posing as IT staff or technical support. They contact users through chat messages or calls, convincing them to click malicious links or install remote access tools such as AnyDesk.
Microsoft provided several examples:
Storm-1674, an access broker, used the TeamsPhisher tool to spread DarkGate and other malware.
Hackers posing as clients on Teams calls persuaded victims to install remote access tools, later used to deploy ransomware.
Threat actors leveraged admin tools like AADInternals to push malicious payloads directly into Teams.
Additionally, deepfake technology and fake authority personas are increasingly being used to boost credibility during scams.
Hackers exploit Teams’ built-in functions, such as external user communication and status visibility, to identify weaker accounts. After gaining access, they use persistence techniques — adding guest accounts, altering startup files, or installing hidden scripts to maintain control.
Microsoft recommends administrators harden security across identity, endpoints, data, and network layers, enabling multi-factor authentication and restricting external access.
Microsoft stresses that ordinary Teams users are often the easiest targets. Even without admin privileges, attackers can steal data or install malicious tools. The company urges organizations to update their systems, educate employees on phishing awareness, and review external access policies to mitigate risks.
