Hackers Impersonate IT Support on Microsoft Teams to Steal Screen Control

Microsoft Teams, the cornerstone of workplace collaboration, is increasingly misused by cybercriminals as a phishing vector.

Once confined to email, phishing has evolved onto platforms like Teams, where default external communication settings enable attackers to impersonate IT personnel, initiate voice and chat-based vishing attacks, and deliver malicious payloads—all while evading traditional security controls.

Exploiting Default Settings for Initial Access

Attackers leverage compromised or attacker-created Microsoft 365 accounts to exploit Teams’ external collaboration features.

With the global shift to remote and hybrid work, many organizations leave Teams’ external messaging and calling enabled by default, granting adversaries a ready-made channel for intrusion.

Once an external account initiates a one-on-one chat or voice call, Microsoft’s standard warning banners often appear briefly before disappearing entirely once a user accepts the communication.

In some cases, attackers bypass warnings altogether by setting up instant meetings and tagging targets, which can trigger chat windows without the usual security prompts.

Threat actors have also found creative ways to bypass limitations on file sharing in one-on-one chats. By intercepting and modifying HTTP requests via tools like Burp Suite, they can embed malicious files hosted on their own SharePoint tenant, updating payloads even after delivery.

This flexibility ensures that attachments are delivered seamlessly, disguised as legitimate documents, further complicating detection.

Detection and Mitigation Strategies for SOC Teams

Security Operations Centers (SOCs) must adapt quickly to this emerging threat. Unlike email, Teams interactions generate unique audit log events—principally ChatCreated and MessageSent.

Effective detection begins with monitoring for unusual external domains, especially newly registered onmicrosoft.com addresses, and patterns in sender display names that mimic IT or helpdesk staff.

Enrichment layers that correlate chat events with preceding email bombing (TIMailData entries) can boost confidence in true-positive cases by identifying suspicious spikes of related activity.

Advanced threat-hunting scripts can establish a baseline of commonly used external domains over a rolling 30- to 60-day period, flagging anomalous domains and high-risk communication types.

Further scoring layers should prioritize chats where the recipient accepted the external connection, replied within the thread, or where remote screen-sharing was requested immediately after chat initiation.

By integrating these signals into a next-generation SIEM, security teams can prioritize leads, rapidly investigate the most severe incidents, and automate alerts for potential Teams phishing attempts.

As attackers continue to refine Teams-based tactics—shifting fluidly between text, voice, and meeting contexts—organizations must harden their collaboration security posture.

Disabling default external access where possible, educating users to recognize helpdesk impersonation techniques, and deploying robust audit log monitoring are critical steps to stay ahead of this evolving phishing frontier.

By making Teams phishing detection a top priority, SOCs can close this gap before it becomes the norm for initial access.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hackers Impersonate IT Support on Microsoft Teams to Steal Screen Control appeared first on Cyber Security News.