They Slid Into Your DMs: How Hackers Are Weaponising Microsoft Teams to Breach Your Business
You’ve trained your users not to click dodgy email links. You’ve rolled out multifactor authentication. You’ve finally tamed the beast that is your spam filter.
So you’d be forgiven for thinking your Microsoft Teams environment was a relatively safe space.
Unfortunately, threat actors disagree.
In a rather elegant pivot, cybercriminals have started exploiting Microsoft Teams’ external chat functionality to deliver phishing links and malware — all under the guise of a legitimate, internal-seeming conversation. And if you thought your users clicked suspicious links in emails, wait until you see how fast they engage with a Teams message that looks like it's from the HR department.
Let’s break down how this attack works, why it’s effective, and what you can do to stop your organisation becoming the next cautionary tale.
The Attack: Teams as a Trojan Horse
In recent months, cybersecurity researchers have observed a spike in attacks using Teams chats as the primary delivery mechanism. Here’s how it plays out:
The Setup: The attacker creates or compromises a Microsoft 365 tenant. Sometimes it’s a newly registered one that looks like a law firm or supplier. Other times, it’s an actual compromised organisation.
The Domain Game: They register a domain that looks legitimate — something like
@smithlegalconsult.coinstead of@smithlegalconsult.com.The Message: Using Teams’ built-in functionality for external collaboration, they send chats directly to your users — often with lures like:
“New HR document for review”
“Payment portal update”
“Shared invoice – please verify”
“Security issue detected – click to resolve”
The Hook: Clicking the link leads to either:
A phishing page mimicking the Microsoft login portal (complete with MFA bypass techniques like token theft), or
A malicious payload download.
Because Teams shows a very friendly “Someone from another organisation is messaging you” banner and then immediately displays their name and avatar, users get a false sense of security. Especially when the attacker uses the logo of a known company.
“How Is That Even Allowed?”
Here’s where we need to talk about Microsoft’s default behaviour.
By default, Teams allows external communication with anyone using Microsoft Teams — as long as they’re not explicitly blocked by your tenant.
Why? Because Microsoft loves interoperability and collaboration. They want Teams to become the new universal platform for business communication — like Slack, but baked into every M365 subscription on the planet.
That’s not inherently a bad idea. But when you combine that vision with:
An overly trusting user base
Weak external domain visibility
The lack of obvious red flags in the Teams UI
...you get a playground for social engineers.
To be fair, Microsoft has offered policy controls to restrict or block external communication, but most IT admins either don’t know about them or leave the defaults in place. Because let’s be honest — finding the right Teams policies in the Microsoft 365 Admin Centre is a sport unto itself.
Why It Works So Well
This attack isn’t just clever. It’s scarily effective. Here’s why:
It bypasses email filters – No dodgy domain reputation to get flagged in your mail flow rules.
It lands directly in the app – No additional downloads, no extra security gateways.
Users drop their guard – They think Teams is “internal” and treat it with more trust.
It mimics day-to-day workflow – Most people get files or links via Teams every day.
Once the attacker lands the click, the real damage begins. They might capture credentials, drop a remote access trojan, or begin lateral movement if they gain a foothold.
This method also fits neatly into multi-stage attacks — for example, using Teams to grab credentials and then pivoting to Business Email Compromise (BEC) or ransomware.
Detection and Response
The bad news: These chats often don’t generate the same alerts or logs as traditional phishing emails.
The good news: If you’re using tools like Microsoft Defender for Office 365 or Sentinel, you can start to piece things together with some effort.
Here’s what to look for:
Unusual Teams activity, especially external chats from unknown domains.
Repeated login attempts or failures following a Teams link click.
New device registrations or token refreshes that don’t match normal patterns.
Unusual file sharing or OneDrive activity, especially downloads immediately after a chat.
What You Can Do (Without Breaking Teams)
Audit and Tweak External Access Settings
Go into Teams Admin Centre > External Access.
Limit or block external domains you don’t work with.
Use an allow list of partner organisations you trust.
Enable Advanced Threat Protection
Defender for Office 365 now includes Safe Links for Teams.
That means it can scan links in Teams chats and block malicious ones — assuming you’ve licensed it and turned it on.
Monitor and Alert
Set up alerts in Sentinel or your SIEM for external chat initiation.
Flag users receiving external chats for review.
Train Your Users
Add Teams to your security awareness training.
Remind staff: Just because it’s in Teams doesn’t mean it’s safe.
Teach them to verify unknown contacts, even in chat.
Review Conditional Access
Apply tighter controls on risky sign-ins and MFA policies.
Consider blocking authentication from specific regions or using stricter device compliance policies.
Final Thoughts: Teams Is Great, But It’s Not Infallible
To be fair to Microsoft (yes, we’re being civil today), they’ve built a highly functional, flexible collaboration tool. Teams has become essential infrastructure for many businesses — and like all infrastructure, it can be abused.
The problem isn’t just the platform. It’s the assumptions we make about it.
We assume internal = safe. We assume collaboration = trust. We assume Teams isn’t a threat vector because it doesn’t feel like one.
Unfortunately, hackers have figured out exactly how to exploit those assumptions.
Now’s the time to treat your Teams environment with the same level of paranoia you apply to email — because if there’s one thing we’ve learned, it’s that your “internal” tools are only one misconfigured tenant or compromised account away from being very, very external.
| Source | URL |
|---|---|
| Cyber Security News | https://cybersecuritynews.com/hackers-leveraging-teams-messages/ |
| Microsoft Learn | https://learn.microsoft.com/en-us/microsoftteams/external-access-admin |
| Microsoft 365 Defender | https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-worldwide |
| Microsoft Security Blog | https://www.microsoft.com/security/blog/2023/07/12/defending-microsoft-teams-against-phishing-attacks/ |
| Proofpoint | https://www.proofpoint.com/us/blog/threat-insight/phishing-microsoft-teams |