Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Leverage Microsoft Teams to Mimic IT Support

Hackers Leverage Microsoft Teams to Mimic IT Support

Posted on May 29, 2026 By CWS

Cybercriminals are increasingly exploiting Microsoft Teams’ external collaboration features to pose as IT support staff, conducting sophisticated voice phishing, or vishing, attacks. These campaigns are now utilizing the Microsoft 365 Unified Audit Log (UAL) to piece together attack timelines, marking a concerning trend in cybersecurity threats.

Exploiting Collaboration Platforms

The attack strategy commences with a threat actor, using an external or cross-tenant Teams account, reaching out to an unsuspecting employee under the guise of internal IT support. Through social engineering tactics, these attackers persuade victims to carry out actions such as executing harmful commands, approving remote sessions, or installing Remote Monitoring and Management (RMM) tools like Quick Assist.

Since these interactions occur within a trusted collaboration tool rather than through email, typical phishing defenses often fail to detect the threat. Microsoft’s Detection and Response Team (DART) has been tracking these persistent Teams-based vishing campaigns since November 2025, noting their prevalence across various enterprise environments.

Ransomware and Forensic Analysis

One notable group, Black Basta ransomware affiliates, began using this method on a large scale in 2024, combining Teams impersonation with credential theft techniques. The UAL has become a vital forensic tool, capturing critical data such as participant identities and connection metadata. However, security experts must validate these logs’ fields to effectively deploy automated detection systems.

Security researcher Maurice Fielenbach emphasizes the importance of the CallParticipantDetail operation logged under the MicrosoftTeams workload as a crucial piece of forensic evidence. Analysts must correlate this with other events like MessageSent and endpoint telemetry to build a comprehensive attack timeline.

Defensive Measures and Recommendations

In light of these threats, security teams are urged to adopt several defensive strategies. Limiting external Teams federation to necessary users or groups can reduce risk. Additionally, any unsolicited external Teams communication should be scrutinized, especially if it involves URL sharing or Quick Assist launches.

Utilizing UAL for message and URL visibility by combining it with endpoint telemetry provides a fuller picture of potential threats. Monitoring for signals such as TeamsImpersonationDetected can also aid in identifying risks. Organizations should consider disabling legacy remote access tools like Quick Assist when not needed and enforce out-of-band verification for IT support requests.

This type of attack is significant because it leverages trusted communication platforms rather than email, an area many organizations may not monitor closely. As hybrid workforces increasingly rely on Teams, understanding and utilizing UAL logs will be essential for effective incident response.

Cyber Security News Tags:cyber threats, Cybersecurity, endpoint security, enterprise security, forensic analysis, IT support, Microsoft Teams, phishing defense, Ransomware, remote access, social engineering, Teams security, threat detection, Unified Audit Log, Vishing

Post navigation

Previous Post: California Lawsuit Accuses 23andMe of Data Breach Negligence
Next Post: AI-Driven Cyberattacks by Russian Group Target Ukraine

Related Posts

New Black-Hat AI Tool Used by Hackers to Launch Cyberattacks New Black-Hat AI Tool Used by Hackers to Launch Cyberattacks Cyber Security News
Critical IDrive Windows Flaw Allows Privilege Escalation Critical IDrive Windows Flaw Allows Privilege Escalation Cyber Security News
New AI Malware Era Begins as Advanced VoidLink Malware Emerges as the First Fully AI-Driven Threat Framework New AI Malware Era Begins as Advanced VoidLink Malware Emerges as the First Fully AI-Driven Threat Framework Cyber Security News
CyberSentinel AI Revolutionizes Security with 33 Tools CyberSentinel AI Revolutionizes Security with 33 Tools Cyber Security News
Retail Finance Giant SitusAMC Data Breach Exposes Accounting Records and Legal Agreements Retail Finance Giant SitusAMC Data Breach Exposes Accounting Records and Legal Agreements Cyber Security News
Nx Console Extension Breach: Developer Secrets at Risk Nx Console Extension Breach: Developer Secrets at Risk Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure
  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure
  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark