Threat actors are increasingly abusing Microsoft Teams to deliver malware by sending phishing messages, voice calls, and file-sharing requests from external or compromised tenants that impersonate IT support staff, clients, or trusted partners. These communications trick users into granting remote access or downloading malicious payloads such as DarkGate and other ransomware-linked tools.
These campaigns take advantage of default Teams settings that allow external domains to initiate chats, the platform's built-in screen sharing, and remote-control features. In addition, the perceived legitimacy of Teams-branded content allows bypassing of email-focused security controls and gaining of initial access for credential theft, persistence, lateral movement, and data exfiltration across victim networks.
Adversaries bypassed Microsoft Teams security controls by exploiting a flaw in how the app enforces restrictions on external tenants, using an insecure direct object reference (IDOR) technique to modify POST requests. This allowed malicious files hosted on SharePoint to be delivered directly into a target's Teams inbox as native file attachments instead of links, thereby evading client-side policies that normally block external file sharing.
Because these payloads arrived inside a trusted Teams conversation from what appeared to be a legitimate external collaborator or IT contact, they also sidestepped many email-focused anti-phishing and attachment-scanning tools and took advantage of users' greater willingness to open files and respond to prompts within Teams compared with traditional email channels.
Source: https://www.scworld.com/brief/microsoft-teams-exploited-for-malware-distribution
Commentary
Users should view unexpected Microsoft Teams messages, chats, or calls with the same skepticism as unsolicited email.
Messages from unfamiliar external tenants or accounts whose display names mimic internal IT, vendors, executives, or regulators, especially when they urge urgent action, password resets, software installs, or "security verification" within a short timeframe should be approached with extreme caution.
Users should also be cautious when a Teams conversation includes file attachments or links that arrive without context, are inconsistent with the sender's typical behavior, or reference invoices, HR documents, compliance audits, or remote support tools that the recipient did not request.
Another red flag is a request within Teams to grant remote access, run a remote-assistance tool, or approve multifactor prompts that the user did not initiate. These social engineering tactics are frequently used to capture credentials and establish persistent control of devices and accounts.
If a user suspects that a Teams interaction is malicious or that a device or account may be compromised, the first step is to stop engaging immediately. Then avoid selecting any additional links or opening files in the thread, and disconnect from any remote sessions that may have been granted.
The user should promptly notify the organization's IT or security team through a trusted channel, such as the official help desk portal or phone number. Provide details and screenshots of the suspicious Teams activity so it can be investigated and blocked.
As soon as possible, the user should change passwords associated with their Microsoft 365 account, ensure multifactor authentication is enabled, and report any unexpected MFA prompts as potential abuse rather than approving them.
Where local or network compromise is suspected, users should power down or isolate the affected device from the network until security staff can run endpoint scans, review logs, and, if needed, reset sessions and invalidate tokens across Teams and other connected services to prevent further lateral movement or data theft.
