Attackers are exploiting Microsoft Teams to pose as IT support, trick users into granting external access, and bypass multi-factor authentication protections. On June 8, 2026, Palo Alto Networks' Unit 42 issued a warning that this sophisticated social engineering campaign is actively targeting organizations worldwide, leveraging the trust employees place in collaboration platforms.

This isn't just another phishing email — it's a direct, real-time attack that weaponizes the very tools companies depend on for daily work. By initiating a chat through Microsoft Teams, threat actors bypass traditional email filters and land directly in an employee's line of sight, often with alarming success.

How the Attack Works

The attack chain begins with a simple Teams message from an external account carefully crafted to resemble IT support. The sender name might be \"Helpdesk\" or \"IT Admin,\" and the message often carries a sense of urgency — claiming a password reset is needed, a security alert requires immediate action, or a system update demands verification.

Upon accepting the chat request, the victim is steered to a malicious link or, more commonly, asked to approve a prompt — like a Multi-Factor Authentication (MFA) push notification — that the attacker has triggered using compromised or leaked credentials. The entire exchange happens inside a platform that many users inherently trust, dramatically lowering their guard.

Crucially, the attack relies on Microsoft Teams' default configuration, which allows external users to send messages to anyone in the organization unless explicitly restricted. Attackers often register domains with names similar to the target company (typosquatting) or use free email providers to create an initial foothold. Once a conversation is accepted, the attacker can send embedded images, files, or links that host credential-harvesting pages.

Why Teams Is an Attractive Vector for Phishing

Collaboration platforms like Teams have become the backbone of remote and hybrid work — and a goldmine for attackers. Unlike email, which has decades of security layers and a healthy level of user skepticism, Teams messages are perceived as more personal and immediate. Users are conditioned to respond quickly, often without the same scrutiny they might apply to an email.

Add to that the blurred line between internal and external communications. Teams displays a small \"External\" tag next to messages from outside the organization, but many users overlook this indicator, especially when the sender name appears legitimate. Attackers further obscure the warning by naming their accounts with plausible IT titles and using professional-looking profile pictures.

The platform also offers multimedia capabilities that phishers exploit. A Teams message can include a .gif that, when clicked, redirects to a fake login page. Or it can display a QR code that, when scanned, leads to a credential-theft site. These variants make the attack harder to detect and block, as they often bypass URL scanning defenses.

Bypassing MFA: The Reverse-Proxy Technique

Multi-factor authentication is widely considered a strong defense against credential phishing, but this campaign demonstrates how determined attackers can circumvent it. Unit 42's report highlights the use of Adversary-in-the-Middle (AitM) proxies — also known as reverse-proxy phishing kits.

In an AitM attack, the phishing site acts as a relay between the user and the legitimate Microsoft login page. When the victim enters their credentials and approves the MFA prompt, the attacker captures both the password and the session token. That token is then immediately used to log in as the user from the attacker's machine, independent of any MFA requirement.

This technique effectively neutralizes MFA because the attacker isn't trying to brute-force credentials — they're stealing the authenticated session. Even FIDO2 hardware keys can be defeated if the attacker successfully proxies the authentication flow, though such attacks are more complex.

The captured session token often grants access not just to Teams, but to the entire Microsoft 365 suite: Outlook, SharePoint, OneDrive. From there, attackers can launch business email compromise (BEC), exfiltrate sensitive data, or pivot to other accounts.

The Human Element: Social Engineering Tactics

Technology alone doesn't make this attack work — it's the psychological manipulation. Attackers exploit common IT workflows: \"Your password is expired, please verify now so you don't lose access.\" Or they impersonate a known brand or service provider, claiming an invoice needs review.

One variant observed by researchers involves the attacker initiating a Teams call, not just a chat. The caller, pretending to be IT, guides the victim through a series of steps that end with them sharing their screen, revealing session tokens, or granting remote access. Voice-based social engineering can be even more convincing, as it mimics a real helpdesk experience.

Attackers have also been seen joining public Teams channels — if the organization allows external participation — and posting malicious links or files that anyone can click. This wide-net approach can compromise multiple users with a single post.

Real-World Impact and Examples

Unit 42's advisory is not theoretical. In one documented case, an energy company employee accepted a Teams chat from \"Microsoft Support,\" followed a link to a spoofed Office 365 login page, and entered credentials along with an MFA code. Within minutes, the attacker had set up mailbox forwarding rules and sent fraudulent invoices to partners.

Another incident involved a financial services firm where the attacker used a compromised session to access SharePoint and download sensitive merger documents. The breach went undetected for over a week because the attacker's activity looked like normal user behavior — they didn't need to install malware, just use the existing tools.

These attacks often escalate laterally. Once inside, attackers move to other collaboration channels like Slack or Discord, or to cloud storage, making containment difficult. They also frequently use the compromised Teams account to phish other employees internally, spreading the attack organically.

Defending Against Teams Phishing

Organizations can significantly reduce risk with a combination of configuration changes, user education, and monitoring.

Restrict External Communications
- In the Teams admin center, under External access, disable communication with all external domains except those explicitly allowed. This prevents strangers from messaging your users out of the blue.
- For Teams meetings and chats with external partners, enforce a policy that requires external participants to wait in the lobby unless invited.
- Consider disabling external access entirely for high-risk groups like finance or HR until a formal vetting process is in place.

Strengthen Authentication Policies
- Move away from phone-based or SMS MFA to more phishing-resistant methods like Windows Hello for Business, FIDO2 security keys, or certificate-based authentication.
- Enforce Conditional Access policies that require compliant devices, limit access to trusted IP ranges, and block logins from anonymizing services or high-risk geographies.
- Activate Microsoft's built-in risk-based policies in Azure AD Identity Protection: user risk and sign-in risk can automatically block suspicious sessions.

Improve User Awareness
- Teach employees to verify the \"External\" tag on all Teams messages, and to question unexpected chat requests — even from familiar names.
- Run simulated phishing campaigns that use Teams messages, not just emails, so users build muscle memory for this threat vector.
- Establish a clear internal process: \"IT will never ask for your password or MFA code via chat. If in doubt, call the helpdesk directly using a known number.\"

Enable Technical Safeguards
- Use Microsoft Defender for Office 365 Plan 2 to scan links and attachments inside Teams messages in real time. The same Safe Links technology that protects email can extend to Teams if configured correctly.
- Turn on Microsoft 365 audit logging and create alerts for suspicious activities: external chat accepted by a VIP account, creation of inbox forwarding rules, or anomalous file downloads.
- Integrate Teams logs with a SIEM for cross-platform correlation.

Microsoft's Response and Recommendations

Microsoft has acknowledged the threat and has been rolling out incremental protections. Since early 2025, a new admin control called \"External Chat Safety\" (currently in public preview) allows organizations to require all external chats to be approved by a moderator or to display a more prominent warning banner. The company has also improved the visibility of the \"External\" tag and now shows the full email domain in the chat header, making it harder to spoof.

Additionally, Microsoft Defender for Office 365 now includes dedicated Teams attack simulation templates, so administrators can test their user base against these exact scenarios. And the Automated Investigation & Response (AIR) capabilities in Defender have been extended to revoke session tokens automatically when a user clicks a known phishing link — reducing the window of exposure.

In the June 8 Unit 42 post, researchers also suggest organizations use the \"Report Message\" add-in for Teams, allowing users to flag suspicious chats directly to the security team, similar to the Phish Alert Button in Outlook.

What Individual Users Can Do

Even without admin-level changes, individual users can adopt safer habits:
- Hover over links before clicking — the true URL will appear in a tooltip and often reveals a bogus destination.
- Never approve an MFA prompt you didn't initiate. If you receive an unexpected push notification, deny it and immediately report it to IT.
- Be skeptical of urgency. Any message claiming immediate action is a red flag. Legitimate IT support rarely demands instant responses via Teams.
- Use the Teams mobile app with caution. The smaller screen can hide important security indicators, making phishing messages appear even more legitimate.
- Verify through another channel. If a colleague or IT staffer contacts you on Teams with a sensitive request, reach out via email or phone to confirm.

The combination of a well-prepared workforce and properly configured defenses creates a layered security posture that can blunt the impact of these attacks, even before new technical patches arrive.

Looking Ahead

As collaboration platforms become more deeply embedded in business operations, attacks mimicking this model will likely evolve. Expect to see AI-generated voice deepfakes in Teams calls, automated chat bots that adapt to user responses, and more targeted spear-phishing using data scraped from LinkedIn or public Teams profiles.

Microsoft has signaled that further enhancements to external identity verification are on the roadmap, including possible integration with Verified ID for external participants. For now, organizations must assume that the lock on the front door — MFA — can be picked, and build additional defenses around it.

The message from Unit 42 is clear: Treat Teams as a critical attack surface, and invest in the same level of security hygiene you would for email. Because the attackers already have.