For years, organizations trained employees to fear suspicious emails. Don’t click unknown links, don’t open strange attachments, and verify the sender. But attackers are adapting faster than security awareness programs.
Now, instead of targeting inboxes, cybercriminals are increasingly turning Microsoft Teams own collaboration features into weapons. Rather than exploiting software vulnerabilities, they’re abusing trusted capabilities, external messaging, guest invitations, voice calls, screen sharing, file sharing, and remote support interactions, to bypass traditional security controls and trick employees into handing over access.
And that shift changes everything. Because the modern cyberattack no longer always begins with a malicious email. Sometimes, it begins with a simple Teams notification. “Hi, this is IT support. Can I help you with something?”
According to Microsoft Threat Intelligence and multiple cybersecurity reports, threat actors are actively exploiting Microsoft Teams’ collaboration ecosystem to launch sophisticated attacks that blend seamlessly into everyday work.
The reason these campaigns are proving so effective is simple: Teams isn’t viewed as dangerous. It’s where colleagues collaborate, meetings happen, files are exchanged, projects are managed, and IT support reaches out when something goes wrong. Employees naturally trust interactions happening inside workplace collaboration platforms far more than they trust random emails.
That trust has now become the attack surface. One of the most abused features is external collaboration. Many Microsoft 365 environments allow external users to message employees, join conversations, participate in meetings, or interact through Teams as guests. Attackers have learned that these legitimate capabilities can help them bypass email security filters entirely.
Instead of sending phishing emails, they simply start conversations directly inside Teams, often posing as IT support staff, vendors, business partners, or external consultants.
And people respond. Because when a request appears inside a trusted workplace platform, employees instinctively lower their guard. A prompt to verify credentials, approve a login, install software, share a screen, or join a support session feels far more legitimate when it arrives through Teams rather than a suspicious-looking email.
Microsoft have observed attackers leveraging guest invitations, external messaging, voice calls, meetings, screen-sharing sessions, and remote assistance capabilities to gain initial access.
In several campaigns, threat actors impersonated helpdesk personnel and convinced employees to launch legitimate remote support tools such as Quick Assist or other remote monitoring and management (RMM) software. In many cases, victims unknowingly handed over direct access to their systems without attackers needing to exploit a single vulnerability.
That distinction matters. This isn’t a traditional software exploitation story. It’s a trust exploitation story. The attackers are not hacking Microsoft Teams itself. They’re using Teams exactly as it was designed to be used, collaboratively, openly, and interactively.
And because the activity happens through approved business channels and legitimate administrative tools, malicious behavior can look almost identical to normal workplace activity.
One particularly concerning trend is the growing use of Teams voice calls in social engineering campaigns. Employees are already becoming more cautious around suspicious messages and external chat requests. But live voice conversations create a different psychological dynamic. People are naturally more likely to trust a human voice than a text notification. Attackers understand this.
Microsoft and cybersecurity analysts say threat actors are increasingly using Teams-based voice phishing, or “vishing”, to impersonate IT support teams and guide victims through credential theft, MFA approvals, software installations, or remote access setup in real time.
And unlike phishing emails, these interactions often bypass traditional security tools entirely because no malicious attachment or exploit is involved. Sometimes, it’s simply a conversation. Microsoft itself appears to recognize the growing risk.
The company has recently introduced additional protections around external collaboration, malicious file detection, URL protection, and brand impersonation warnings for Teams calls, a sign that collaboration platforms are rapidly becoming a major frontline in modern cyber defense.
Microsoft has also advised organizations to restrict unnecessary external Teams communications, review guest access permissions, use allowlists for trusted domains, monitor external chats and voice calls, strengthen identity protections and MFA policies, and improve employee awareness around collaboration-platform phishing.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
