Cybersecurity researchers have identified a sophisticated phishing campaign where threat actors are exploiting Microsoft Teams to target corporate executives. The attackers impersonate IT support staff, sending deceptive chat messages within the platform to trick high-level employees into approving multifactor authentication (MFA) prompts or installing malware.
According to reports from cybersecurity firms like Proofpoint and Cofense, the campaign, active since at least late 2025, does not involve compromising Microsoft's infrastructure itself. Instead, hackers use previously stolen credentials or create new, seemingly legitimate domains to send convincing messages that appear to come from internal technical support.
The primary goal is to gain initial access to corporate networks by compromising executive accounts, which often have higher privileges and access to sensitive data. This technique represents a shift from traditional email-based phishing, exploiting the trusted nature of internal collaboration tools.
Microsoft has acknowledged these social engineering tactics and recommends organizations enforce stricter security policies within Teams, such as disabling external communication for certain users and implementing conditional access rules. Security experts advise all users to verify the identity of anyone requesting sensitive actions, even on trusted platforms.
