New Microsoft Teams Phishing Attacks Use Email Bombs and Fake IT Support
Key Takeaways A sophisticated phishing campaign is leveraging Microsoft Teams and email bombing to gain remote access to employee devices. The attack begins with a deluge of unwanted emails, followed...
Key Takeaways
- A sophisticated phishing campaign is leveraging Microsoft Teams and email bombing to gain remote access to employee devices.
- The attack begins with a deluge of unwanted emails, followed by an impersonated IT support contact via Teams offering to “fix” the problem.
- Attackers use legitimate remote access tools like Quick Assist or AnyDesk to take control of devices, and then exfiltrate data using tools like WinSCP or deliver malware.
- These attacks have shown a 72% success rate, with activity sharply increasing between 2024 and 2025.
A new and alarming wave of cyberattacks is targeting Microsoft Teams users, employing a dual-pronged strategy that combines overwhelming email bombardments with highly convincing fake IT support outreach. This coordinated campaign aims to trick employees into granting threat actors direct remote access to their systems, leading to potential data exfiltration and further compromise.
Table Of Content
Security researchers indicate that these attacks, which began to proliferate in early 2026, show no signs of abating. Their efficacy lies in exploiting human psychology under duress and leveraging the trust associated with internal communication platforms.
The Anatomy of the Attack
The initial phase of this campaign involves an “email bombing” technique. Victims are inundated with hundreds, sometimes thousands, of unsolicited emails in a short timeframe. This deliberate overload is designed to induce panic and create the impression that the user’s account is experiencing a severe, system-wide issue.
Once the target is disoriented and anxious, a malicious actor, posing as an “IT support specialist,” contacts them via Microsoft Teams. This contact is crafted to appear highly credible, often utilizing professional-sounding names and display details that mimic legitimate IT departments. The impostor appears to be fully aware of the email issues, further cementing their perceived authenticity.
Analysts at eSentire have documented multiple real-world intrusion cases where this exact sequence of events unfolded, culminating in confirmed data exfiltration from the compromised endpoints. The researchers observed that in each instance, the threat actors impersonated internal IT support teams, initiating contact from external Microsoft Teams accounts. These accounts frequently used display names such as “IT Protection Department” or “Windows Security Help Desk.”
The attackers meticulously craft these external Teams tenants and user profiles to appear as official as possible. Instead of generic identifiers like “helpdesk@” or “admin@”, they employ realistic full-name personas, for example, “michaelturner@” or “danielfoster@”, to enhance the illusion of legitimacy.
The success of this campaign largely stems from its ability to blend social engineering with the inherent trust users place in platforms like Microsoft Teams. Employees are accustomed to receiving legitimate IT communications through Teams, making them more susceptible to these sophisticated impersonation attempts. Once a victim accepts the “help” offered by the fake IT specialist, they are prompted to grant remote access using common tools such as Microsoft Quick Assist or AnyDesk. At this critical juncture, the attacker gains full control over the compromised device.
According to eSentire’s 2026 Annual Cyber Threat Report, these attacks boasted an alarming 72% success rate, with a notable increase in activity observed between 2024 and 2025.
Variations of this technique have been attributed to prominent threat groups, including Scattered Spider, Payouts King, and UNC6692. The underlying infrastructure supporting these malicious operations is far from amateur. Many of the illicit Teams messages originate from bulletproof hosting providers such as NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD. The observation of single IP addresses simultaneously targeting multiple organizations underscores the organized and well-resourced nature of these campaigns.
How the Attack Unfolds After Access Is Granted
Once remote access is established, the attackers proceed to execute their objectives, often involving data theft or malware deployment. In several documented instances, threat actors downloaded portable versions of WinSCP directly from its official website. This legitimate file transfer application was then used to covertly exfiltrate sensitive files from the compromised system. By utilizing trusted, legitimate software for malicious purposes, attackers effectively bypass conventional security controls that might flag suspicious executables.
In another incident, attackers leveraged Quick Assist to deliver a malicious ZIP archive named “Email-Deployment-Process-System.zip” to the victim’s machine. This archive contained a Java binary designed to execute a malicious Java application, subsequently leading to data theft. This layered approach highlights the attackers’ sophistication: they gain initial access through trusted remote tools and then deliver malware using seemingly innocuous file names to evade detection during the delivery phase.
What You Should Do
- Restrict External Communications: Configure Microsoft Teams to block messages and calls from external organizations unless explicitly required for business operations. For necessary external collaborations, limit contacts to verified and trusted partners.
- Implement External Sender Notifications: Enable external collaboration policies that clearly notify users when they are communicating with someone outside the organization.
- Block Unauthorized Remote Access Tools: Implement policies to block the use of remote access tools such as Quick Assist, AnyDesk, and ConnectWise unless they are operationally essential and centrally managed.
- Restrict File Transfer Utilities: Block or restrict the use of unauthorized file transfer applications like WinSCP, RClone, FileZilla, and MegaSync across your network.
- Conduct Employee Training: Provide comprehensive security awareness training to employees, focusing on recognizing phishing tactics, especially those involving social engineering and impersonation. Emphasize the importance of verifying any unexpected IT support requests through a known, secondary channel (e.g., calling the official helpdesk number, sending a direct email to IT, or logging a ticket through an internal system) rather than responding directly to the suspicious contact.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.