Employees view platforms like Teams as part of the organization’s secure internal ecosystem. This trust is key to productivity, as it encourages open communication. However, attackers exploit this trust, knowing employees are more likely to follow instructions from an internal “IT” account without verifying its authenticity. The internal angle bypasses typical “red flags” employees might associate with phishing emails, such as unfamiliar domains or grammatical errors.  The use of Microsoft Teams means employees are more likely to trust and follow instructions received through this platform, mistakenly assuming internal messages are safe.

The attack typically begins when attackers impersonate IT support on Teams, using account names like “supportadministrator” or “itadmin” to build credibility. They often flood inboxes with junk mail or set up fake notifications to create a sense of urgency.

Once the employee engages, attackers guide them through installing remote-access tools which allows them to take control of the user’s device. This access is then leveraged to deploy ransomware, lock down files and demand ransom payments. One type of malware was initially designed to steal banking credentials, but it has evolved into a tool for harvesting login credentials and spreading across networks. It can capture keystrokes, log passwords, and even compromise multiple devices across an organization, creating openings for other malware.