What is the Microsoft Teams social engineering ransomware attack?

Multiple ransomware gangs are using a combination of social engineering and Microsoft Teams to breach organizations. The attack uses a standardized four-step process involving email bombing, fake Microsoft Teams contact, social engineering, and malicious script execution to gain system access and deploy ransomware.

How does the email bombing phase of the Microsoft Teams attack work?

The attack begins with threat actors flooding the victim's inbox with spam email messages in a short period of time. This creates an unexpected and unpleasant situation that puts the victim in a state of urgency and legitimizes unexpected 'IT support' contacts that follow.

How do attackers use Microsoft Teams to contact victims?

Threat actors create a Microsoft cloud tenant that mimics the target organization's naming convention, usually with a suffix like '*.onmicrosoft.com'. They set their profiles to display names indicating help-desk services, often using 'Help Desk' surrounded by whitespace characters to center the name, then send Microsoft Teams chat requests to victims.

What social engineering techniques are used in the Microsoft Teams attack?

Once the victim accepts the Teams chat, attackers guide them through executing PowerShell commands that appear legitimate but actually download and run malicious scripts. The attackers mimic IT teams to exploit Microsoft Teams requests and gain system remote access.

What happens during the malicious script execution phase?

The initial command bypasses Windows security policies and downloads a PowerShell script called 'runner.ps1' from attacker-controlled domains. This script downloads other files that steal data including cryptocurrency wallets, password manager data, VPN sessions, system and cookie information, and exploits unpatched vulnerabilities to take control of the machine for further attacks.

Why is this Microsoft Teams attack particularly effective?

The attack exploits Microsoft Teams' default permissive configuration, which allows calls and chats from external domains by default. External Teams messages may not set off red flags with employees since they trust their corporate chat systems to be 'internal,' so any contact via that channel is assumed to be trusted.

Who has reported on these Microsoft Teams social engineering attacks?

Multiple attacks using these techniques have been reported by researchers from ReliaQuest, Microsoft Threat Intelligence, and Sophos, indicating this is a widespread threat being tracked by multiple security organizations.

How can administrators protect against Microsoft Teams social engineering attacks?

Administrators should restrict external Teams access by blocking all external domains in the Teams admin center's External access settings. This prevents unauthorized external contacts from reaching employees through Microsoft Teams.

What should organizations teach employees about Microsoft Teams security?

Organizations should educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be careful about what they share, and never share account information, authorize sign-in requests, or run programs sent over chat.

What is the callback verification procedure for suspicious Teams contacts?

If an unknown person contacts an employee via Teams claiming authority (helpdesk, security, management), employees should contact back via the official channel and account published in the intranet rather than continuing to communicate with the unknown person reaching out to them.

Why is patching important for preventing these Microsoft Teams attacks?

Organizations should diligently apply Microsoft patches because unpatched vulnerabilities are the most commonly exploited methods for attackers to take complete control of computers after the initial social engineering compromise.

What makes the barrier to entry low for this attack method?

The attack barrier to entry is relatively low because attackers just need to create a legitimate-looking Microsoft tenant with a convincing name, or they can use Microsoft 365 tenants they have compromised in previous attacks.

What data do the malicious scripts steal during the attack?

The malicious scripts steal comprehensive data including cryptocurrency wallet information, password manager data, VPN session details, system information, and cookie data, providing attackers with extensive access to victim credentials and sensitive information.

How do attackers make their fake Microsoft tenants appear legitimate?

Attackers create Microsoft cloud tenants that mimic the target organization's naming convention, usually with suffixes that sound legitimate like '*.onmicrosoft.com', and use display names with 'Help Desk' or similar IT support terms to appear as legitimate internal support staff.

Scam/Phishing

How hacker gangs abuse Microsoft Teams for social engineering attacks to target companies

published: Aug. 18, 2025

Take action: Share this technique with your employees. The targeted people will not be IT. Consider blocking external Teams access in your admin settings to avoid fake "help desk" accounts. Advise that teams should check back with their IT via a well known channel and never run commands or programs sent via Teams messages from an unknown person, even if they claim to be from IT support.

Learn More

Multiple ransomware gangs are using a combination of social engineering and Microsoft Teams to breach organizations. The attack has a fairly standardized process designed to overwhelm the target:

Email Bombing - the attack begins with threat actors flooding the victim's inbox with a spam email messages in a short period of time. This is an unexpected and unpleasant situation for any user, making them concerned about why they are being suddenly targeted. It puts the victim in a state of mind of urgency and legitimizes unexpected "IT support" contacts.
Microsoft Teams Contact - the threat actors create a Microsoft cloud tenant that mimics the naming convention of the target organization, usually with a suffix that sounds like it's legitimate, like "*.onmicrosoft.com". The attackers set their profiles to a "DisplayName" indicating some form of help-desk, often using the string "Help Desk" surrounded by whitespace characters to center the name. Then they send a Microsoft Teams chat request to the victim.
Social Engineering - once the victim accepts the Teams chat, the attackers guide them through executing PowerShell commands that appear legitimate but actually download and run malicious scripts. Hackers Mimic IT Teams to Exploit Microsoft Teams Request to Gain System Remote Access.
Malicious Script Execution - the initial command executed bypasses Windows security policies and downloads a PowerShell script called "runner.ps1" from attacker-controlled domains. That script downloads other files which steal data from the victim machine, including cryptocurrency wallet, password manager, VPN session, system and cookie information and exploits unpatched vulnerablities to take control of the machine for further attacks.

The success of this attack relies on Microsoft Teams' default configuration, which is very permissive. By default, Microsoft 365 permits calls and chats from external domains. This means that users can add apps when they host meetings or chats with people outside your organization.

The actor either uses Microsoft 365 tenants they have compromised in previous attacks or even creates their own tenant. The attack barrier to entry is relatively low - they just need to create a legitimate-looking tenant with a convincing name.

An external Teams message may not set off red flags with employees, since employees are usually trusting their corporate chat systems to be "internal". So any contact via that channel is assumed to be trusted.

Multiple attacks using these techniques have been reported by researchers from ReliaQuest, Microsoft Threat Intelligence and Sophos.

How to stay safe?

Admins Should Restrict External Teams Access: In the Teams admin center, you block all external domains in your External access settings
Educate Users: Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be careful about what they share, and never share their account information, authorize sign-in requests or run programs sent over chat.
Establish Callback: If an unknown person contacts the employee via Teams and claims some authority function (helpdes, security, management), the employees should contact back via the official channel and account published in the intranet. Not to continue talking to the unknown person reaching to them.
Patch Devices: Organizations should diligently apply Microsoft patches, because they are the most commonly exploited to take over the computer.

How hacker gangs abuse Microsoft Teams for social engineering attacks to target companies

Read More
Scam campaign analysis: Fake Beauty Box giveaway
Active "ex-partner left you money" advance fee scam
WhatsApp users targeted in account takeover attack dubbed …
Email reconnaissance tactics in phishing - "Are you …
Phishing attack impersonating Coinbase