Microsoft Teams is a powerful communications and collaboration platform published by Microsoft in 2017, both as a competitor to Slack and as a successor to Skype for Business. In the years that followed, more and more companies would adopt Teams as their platform of choice due to being included in Microsoft 365 and also its integrations with other Microsoft products. Today the platform boasts over 300 million active users across the world.

This growing popularity comes at a cost, though. With its widespread adoption, Teams has made itself a valuable target for cyberattacks. Microsoft Teams, being an official product of Microsoft and deployed by large and secure companies, is inherently a high-trust environment. This means that users of Teams are not likely to question or scrutinise the content displayed to them in-app, which gives a huge advantage to social engineers. Furthermore, its Microsoft product integrations offers attackers a broader range of attack vectors, as malware and phishing attempts via OneDrive, Outlook or SharePoint can also be propagated through Teams.
In this article, we will explore the vulnerabilities of Microsoft Teams and discuss possible mitigations.

What Is Social Engineering?

"Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables."

~ Kaspersky

Social engineering is a cyberattack technique where bad actors will leverage your human instincts against you in order to trick you into divulging sensitive information. For example, applying time pressure to victims can cause them to panic and act without consideration of consequence. If you have ever had a text message inciting you to act immediately in order to secure a refund, confirm a delivery or cancel an order, you may find yourself complying with the request without realising that you never made an order and aren't expecting any deliveries. Likewise, if you have ever been a target of the infamous Nigerian Prince scam, then you have also been the victim of a social engineering technique that leverages your compassion and perhaps your opportunism in order to defraud you of large sums of money.

At the heart of social engineering is the abuse of instincts and characteristics that are forgivably human, but easy to manipulate. In scenarios where you are receiving texts and emails from senders that you do not recognise, you may understandably be much more wary and therefore less likely to fall victim to such attacks - but what happens when the sender is a trusted colleague, or even your manager?

Social Engineering attacks against Teams

In 2023, security researchers discovered that DarkGate malware was being distributed through Microsoft Teams through a wide variety of techniques. In one instance, a company employee was contacted via Teams by an account that was external to their organisation and convinced through social engineering to download remote access software, allowing the attacker to install malware onto the employee's device. In another instance, users were directed via Teams to download a malicious script execution tool through Teams' integration with SharePoint. In another, instructions that duped users into downloading and installing DarkGate ransomware was distributed through Teams via a malicious PDF attachment.

DarkGate is a RAT, or Remote Access Trojan, that allows attackers to remotely access and control the victim's device. This may have allowed them to access corporate networks, enabling further attack techniques such as espionage or ransomware, and also the opportunity through Teams to impersonate the victimised employee, leveraging their trustworthiness and standing in the organisation to infect further devices.

In a separate attack, during the month of June cybersecurity journals published details of an ongoing phishing campaign that exploited a known vulnerability in Microsoft 365's Direct Send feature which allows for connected devices such as printers to send emails from an internal address without need for authorisation. These emails bypass most filtering rules that companies deploy to protect their employees from email spam attacks. To the email, a malicious PDF is attached that includes a QR code, leading to a fake Microsoft login page where user credentials are phished.

Microsoft itself published a report in the tail-end of 2024 that illustrated the growing trend of social engineers posing as help desk agents, again contacting employees through teams with account external to the company and convincing victims to install remote access software which led to critical security breaches.
Clearly there is already enough basis in reality to showcase the dangers of Microsoft Teams, however we may only be scratching the surface.

Other Potential Forms of Attack

Though not as widely discussed as the real-life events which have already transpired, there remain a number of attack techniques that could be employed on Microsoft Teams, even if they haven't yet.
One of the potential threats to corporations using Teams is the malicious use of AI in vishing attacks in voice or video calls across the platform. To this end, a hacker would first need a voice and/or video sample of the person they wish to impersonate, however as we have previously discussed on this blog, the technology already exists and is actively being used to perpetrate cyberattacks against businesses. In the past, we reported on a company who reported the theft of close to $250,000 USD which was authorised by a bad actor over the phone, using a deepfaked voice of a business executive. This attack occurred in 2019, and the technology that powers vishing has only become more advanced since then.

Teams could also find itself the victim of a kind of supply chain attack through its growing list of third-party app integrations. Each one of these integrations represents a new potential vulnerability through which phishing and malware campaigns could be wrought. Such an attack has already occurred where Microsoft Cloud customers had their data stolen through an undisclosed third-party vendor in 2020. The exact same risks apply to Microsoft Teams, despite the fact that Microsoft so far has broadly limited integrations to 365 and other Microsoft products.

Meeting invites that are distributed through email can also be faked, which would allow hackers to potentially distribute malware through email even if not involving the Teams platform directly. This kind of attack leverages our trust in the Teams branding and might cause people to fail to check the legitimacy of received Teams invites - especially if such emails are able to bypass corporate firewalls as described above. Though this would be categorised as an attack via email rather than Teams, it still fully relies on Teams' current dependency on email for sending and receiving meeting invites, particularly to those external to an organisation.

Finally, there is a growing risk that hackers could use AI chatbots trained on an employee's manner of speaking in order to create chat bots that impersonate them on Teams. These could be used to orchestrate large-scale automated phishing campaigns within an organisation. The risk of this form of phishing grows with the continued improvements made to conversational GPT models. For more information on these potential forms of attack, consider our article on the changes to the phishing metagame and why ChatGPT and other AI platforms pose such a threat to businesses worldwide.

Safety and Mitigation Strategies

With such a broad range of threats present on Microsoft Teams, it is important to take measures in order to keep yourself and your business safe. Here we offer a few key tips in order to avoid falling victim to attacks made through Microsoft's increasingly popular platform:
1.  Practice Diligence: By recognising that it is a high-trust environment, you should be aware of your own tendency to feel untouchable on Teams. Attacks by bad actors can, have and do occur on the platform, and it is the joint responsibility of Teams' userbase to maintain a baseline level of caution when using it. By staying aware, you are more likely to notice when something is not quite as you expect it to be, and will hopefully be more resistant to classic social engineering techniques such as the application of time pressures or the incitement of urgency.
2.  Stay Educated: The attacks that are levied against Microsoft Teams often come in the form of campaigns that target a broad number of organisations. By being aware not only of the news, but also of the current threats facing Teams users, you are much more likely to avoid the pitfalls that bad actors want to lay out in front of you. Therefore, make sure that your knowledge base the criminal activity affecting Teams is always up to date.
3.  An Emphasis on Internal Communication: As discussed in this article, many of these attacks come from sources external to an organisation - whether they use tricks to make themselves appear to be internal staff, or if they exploit vulnerabilities in Microsoft's network or Windows itself, there will almost always be noticeable signs if somebody is not who they say they are. Make sure that you and your team know how to spot the difference, and teach them to be very skeptical of incoming Teams messages and other forms of communication from outside of the business.

Conclusion

Microsoft Teams' growth since its launch has been steady, and it has quickly surpassed all competition, however that has made it an even more enticing target for bad actors - and with such a wealth of opportunity for social engineering, Teams is likely to remain a highly targeted platform for the foreseeable future. While there are many forms of attack that pose a threat to users of Teams, many of these can be avoided through diligence and education particularly. Maintain a good and current knowledge of the cyber threats that affect the platform, and be aware of your communications at all times, and you will be much more likely to resist attacks carried out through Microsoft Teams.

Sources

https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering
https://www.whiteblueocean.com/glossary/#accordion-glossary-s
https://nordvpn.com/blog/nigerian-prince-scam/
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response
https://www.darktrace.com/blog/enemies-on-our-teams-darktrace-stops-darkgate-malware-through-microsoft-teams
https://heimdalsecurity.com/blog/darkgate-malware-spreaded-via-pdf-files-through-microsoft-teams-and-skype/
https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916
https://www.whiteblueocean.com/newsroom/the-dangers-of-deepfakes/
https://www.washingtonpost.com/national-security/russia-hack-microsoft-cloud/2020/12/24/dbfaa9c6-4590-11eb-975c-d17b8815a66d_story.html
https://www.whiteblueocean.com/newsroom/chatgpt-and-the-rise-of-ai-in-cybercrime/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.