Microsoft has flagged a surge in attackers impersonating helpdesk staff through Teams to infiltrate enterprise networks. Threat actors are leveraging the platform's legitimacy to gain initial access and move laterally within organizations.
Microsoft security researchers have identified a growing trend of threat actors abusing Microsoft Teams for social engineering attacks targeting enterprise users.
Attackers are impersonating helpdesk or IT support staff in Teams conversations to trick employees into granting access credentials or executing malicious actions. The tactic exploits the platform's widespread use in corporate environments, where Teams appears as a trusted internal communication channel.
Once initial access is established, threat actors use Teams and other legitimate tools already present on compromised networks to move laterally and expand their foothold. This approach reduces detection risk compared to deploying custom malware.
The attacks typically begin with external Teams messages appearing to come from internal support roles. Victims are directed to authenticate through phishing links, share credentials, or run scripts for supposed security updates or account verification.
Microsoft recommends organizations implement multi-factor authentication across all accounts, restrict Teams external communications where possible, and train employees to verify support requests through secondary channels before responding to sensitive requests.
The advisory reflects broader challenges with Teams security as the platform's adoption has grown. Previous reports have documented Teams abuse in phishing campaigns, credential theft, and data exfiltration attempts.
Companies should review Teams policies to limit external collaboration, monitor for suspicious support-related conversations, and establish clear verification procedures for IT requests. Security teams should also track Teams activity logs for anomalous patterns indicating compromised accounts.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for enabling ransomware attacks against American organizations. The action targets infrastructure providers facilitating cyber threats.
As scam calls and messages proliferate, ordinary people are turning the tables on fraudsters through scambaiting—deliberately engaging scammers to waste their time and resources.
Security researchers have identified a defensive technique called "context bombing" that uses prompt injections to trigger an attacker's own AI guardrails, reducing the success rate of AI-based hacking attempts by approximately 90%.
The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.