Cybercriminals are increasingly exploiting Microsoft Teams’ external collaboration features to pose as IT support staff, conducting sophisticated voice phishing, or vishing, attacks. These campaigns are now utilizing the Microsoft 365 Unified Audit Log (UAL) to piece together attack timelines, marking a concerning trend in cybersecurity threats.
Exploiting Collaboration Platforms
The attack strategy commences with a threat actor, using an external or cross-tenant Teams account, reaching out to an unsuspecting employee under the guise of internal IT support. Through social engineering tactics, these attackers persuade victims to carry out actions such as executing harmful commands, approving remote sessions, or installing Remote Monitoring and Management (RMM) tools like Quick Assist.
Since these interactions occur within a trusted collaboration tool rather than through email, typical phishing defenses often fail to detect the threat. Microsoft’s Detection and Response Team (DART) has been tracking these persistent Teams-based vishing campaigns since November 2025, noting their prevalence across various enterprise environments.
Ransomware and Forensic Analysis
One notable group, Black Basta ransomware affiliates, began using this method on a large scale in 2024, combining Teams impersonation with credential theft techniques. The UAL has become a vital forensic tool, capturing critical data such as participant identities and connection metadata. However, security experts must validate these logs’ fields to effectively deploy automated detection systems.
Security researcher Maurice Fielenbach emphasizes the importance of the CallParticipantDetail operation logged under the MicrosoftTeams workload as a crucial piece of forensic evidence. Analysts must correlate this with other events like MessageSent and endpoint telemetry to build a comprehensive attack timeline.
Defensive Measures and Recommendations
In light of these threats, security teams are urged to adopt several defensive strategies. Limiting external Teams federation to necessary users or groups can reduce risk. Additionally, any unsolicited external Teams communication should be scrutinized, especially if it involves URL sharing or Quick Assist launches.
Utilizing UAL for message and URL visibility by combining it with endpoint telemetry provides a fuller picture of potential threats. Monitoring for signals such as TeamsImpersonationDetected can also aid in identifying risks. Organizations should consider disabling legacy remote access tools like Quick Assist when not needed and enforce out-of-band verification for IT support requests.
This type of attack is significant because it leverages trusted communication platforms rather than email, an area many organizations may not monitor closely. As hybrid workforces increasingly rely on Teams, understanding and utilizing UAL logs will be essential for effective incident response.
.webp?ssl=1 "Microsoft File Exploited in India-Focused Cyber Espionage")
