Threat actors are leveraging Microsoft Teams to impersonate internal IT departments, tricking users into granting remote access via Quick Assist, which can lead to malware deployment, data exfiltration, and lateral movement1. This social engineering tactic exploits a vulnerability in how organizations manage external access, as Microsoft Teams often allows any external user to send messages. The Rapid7 MDR team has observed a surge in these phishing campaigns, highlighting the need for increased vigilance. By posing as IT support, attackers can convincingly persuade users to compromise their own systems. This campaign underscores the importance of robust access controls and user education to prevent such attacks. The success of these phishing campaigns relies on exploiting human psychology rather than sophisticated technical vulnerabilities, making them particularly challenging to detect and mitigate, so practitioners must prioritize awareness and training to prevent falling victim to these types of attacks.
Rapid7 Guidance on Observed Microsoft Teams Phishing Campaigns
⚠️ Critical Alert
Why This Matters
The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams.
References
- Rapid7. (2026, March 16). Rapid7 Guidance on Observed Microsoft Teams Phishing Campaigns. Rapid7 Blog. https://www.rapid7.com/blog/post/dr-guidance-on-observed-microsoft-teams-phishing-campaigns
Original Source
Rapid7 Blog
Read original →