A surge in phishing attacks is leveraging Microsoft Teams and email bombing to deceive employees into granting remote access to their devices. These sophisticated cyber threats have been on the rise since early 2026, and experts caution that they show no signs of abating.
The attackers initiate their strategy by sending an overwhelming number of unsolicited emails to the victim. This ’email bombing’ technique induces panic, leading the target to believe their account is compromised. At this vulnerable moment, an individual posing as an ‘IT support specialist’ contacts the victim via Microsoft Teams, offering to resolve the issue.
Email Bombing: A Growing Concern
The method of inundating a user’s inbox with spam is designed to create a state of confusion and urgency. When the user is most stressed, the attacker, masquerading as IT support, reaches out through Microsoft Teams. These contacts appear credible, often using professional-sounding names and IT-related avatars to gain the victim’s trust.
According to eSentire’s findings, several cases have been reported where this tactic successfully led to data breaches. Attackers impersonate internal IT teams using new Microsoft Teams tenants with names like ‘IT Protection Department’ or ‘Windows Security Help Desk’, crafted to appear genuine. They employ realistic email formats, such as michaelturner@ or danielfoster@, to avoid detection.
Exploiting Trust in Familiar Platforms
The effectiveness of these attacks lies in their exploitation of social engineering and trust in familiar platforms. With Microsoft Teams being a daily tool for many employees, communications from IT departments are expected and trusted. Once the victim accepts assistance, they are instructed to provide remote access via tools like Quick Assist or AnyDesk, granting the attacker full device control.
eSentire’s 2026 Cyber Threat Report highlights a 72% success rate for these attacks, with a noticeable increase in activity from 2024 to 2025. Groups such as Scattered Spider and Payouts King are known to utilize these sophisticated tactics, often supported by bulletproof hosting providers like NKtelecom INC and WorkTitans B.V.
Mitigating the Risks of Sophisticated Attacks
After gaining remote access, attackers can inflict significant damage. In documented incidents, malicious actors downloaded WinSCP, a legitimate file transfer tool, to exfiltrate data unnoticed. Other cases involved delivering harmful files via Quick Assist, showcasing how attackers layer tactics to bypass security measures.
To counter these threats, organizations must restrict external communications on Microsoft Teams to verified contacts and limit the use of remote access and file transfer tools. Employee training is crucial to recognize suspicious IT requests and verify them through official channels.
By implementing these precautions, companies can better defend against these evolving phishing threats, safeguarding their systems and sensitive data from potential breaches.
