IT Impersonation Attacks in Teams: The New Threat to M365 Tenants

Microsoft Teams has become an essential tool for business communication, but also a new attack vector. According to a TechRadar report, cybercriminals are exploiting the trust employees place in internal messages to impersonate the tech support team and steal credentials for Microsoft 365 tenants. This type of impersonation, known as 'vishing' in its phone version, now adapts to instant messaging platforms, leveraging the immediacy and familiarity they generate.

What happened?

Attackers send direct messages in Teams to employees, pretending to be from the IT department. They claim security issues or urgent updates and ask the user to click a link or provide their password. Once credentials are obtained, they access the M365 tenant, where they can steal data, install malware, or move laterally across the network. This attack is not new in email (phishing), but its shift to Teams makes it more dangerous because instant messaging creates a greater sense of urgency and trust. Additionally, collaboration tools often have fewer security filters than email. In fact, according to Proofpoint data, 83% of organizations reported identity impersonation attacks on collaboration platforms in 2022, a 50% increase from the previous year.

The typical modus operandi begins with obtaining employee names and roles, often through LinkedIn or corporate websites. Then, the attacker joins a group chat or starts a direct conversation, using a fake profile that mimics the IT team. The request usually includes a link to a fake Microsoft 365 login page, where credentials are captured. In some cases, attackers even use deepfake techniques to simulate voice calls or video calls, though this is less common.

Why is it important?

Microsoft Teams has over 280 million monthly active users, according to Microsoft data from 2023. IT impersonation exploits the authority relationship and lack of visual verification in chats. Any employee with access to Teams can be a victim, regardless of their role. Consequences include:

• Loss of sensitive data, such as intellectual property or financial information.
• Compromise of the entire M365 tenant, allowing the attacker to access emails, files, and other applications.
• Installation of ransomware or malware, which can paralyze operations.
• Reputational damage and recovery costs, which according to IBM can average over $4 million for a data breach.

This attack is particularly effective because employees are used to receiving IT instructions through the same platform. Moreover, Teams' integration with other Microsoft tools (like Outlook or SharePoint) facilitates lateral movement once access is gained. A Barracuda Networks study revealed that 60% of organizations experienced at least one impersonation attack in Teams in 2023.

What consequences will it have?

An increase in this type of attack is expected as more organizations rely on Teams. Security departments will need to implement multi-channel verification policies (e.g., confirming any credential requests via email or phone). Additionally, Microsoft may be forced to add visual authenticity indicators in support messages, such as verified badges or security notifications. Already in 2022, Microsoft introduced features like 'Microsoft Defender for Office 365' to protect against threats in Teams, but identity impersonation remains a challenge.

In the regulatory sphere, the growing sophistication of these attacks could lead to increased pressure on companies to demonstrate compliance with regulations like GDPR or HIPAA, which require personal data protection. Fines for breaches can reach 4% of global annual revenue. Furthermore, cyber insurance policies are demanding stricter controls, such as multi-factor authentication (MFA) and ongoing training, to maintain coverage.

What should readers know?

To protect themselves, companies should:

• Train employees to distrust unsolicited messages asking for credentials or link clicks. Periodic phishing simulations can help reinforce awareness.
• Implement multi-factor authentication (MFA) on all M365 tenants. According to Microsoft, MFA can block 99.9% of automated attacks.
• Use conditional access policies that restrict access from untrusted locations or devices, and require IT requests to be made through approved channels.
• Establish an official communication channel for IT requests, such as a phone number or web portal, and communicate it clearly to all employees.
• Monitor anomalous activity in Teams, such as logins from unknown IPs, creation of new accounts, or sending of suspicious links. Tools like Microsoft Cloud App Security can help.

Social engineering remains the most common entry point for cyberattacks. Impersonation in Teams is just the latest variant of a tactic as old as it is effective. As the 2023 Verizon report noted, 74% of breaches involve the human factor.

Individual users should also be alert: no legitimate IT team will ask for your password via chat. When in doubt, contact support directly through another means. Additionally, review app permissions and avoid clicking shortened links without verifying the destination.

Conclusion

IT impersonation in Microsoft Teams is a real and growing threat. The combination of trust, urgency, and lack of verification makes it an effective weapon for cybercriminals. Prevention requires education, technology, and clear processes. Don't wait for an attack to compromise your organization. Implement measures like MFA, conditional access policies, and ongoing training to reduce risk. The cost of prevention is always lower than that of a breach.