Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/Threats/New Microsoft Teams Phishing Attacks Use Email Bombs and Fake IT Support
Threats

New Microsoft Teams Phishing Attacks Use Email Bombs and Fake IT Support

Key Takeaways A sophisticated phishing campaign is leveraging Microsoft Teams and email bombing to gain remote access to employee devices. The attack begins with a deluge of unwanted emails, followed...

Emy Elsamnoudy
Emy Elsamnoudy
May 4, 2026 4 Min Read
48 0

Key Takeaways

  • A sophisticated phishing campaign is leveraging Microsoft Teams and email bombing to gain remote access to employee devices.
  • The attack begins with a deluge of unwanted emails, followed by an impersonated IT support contact via Teams offering to “fix” the problem.
  • Attackers use legitimate remote access tools like Quick Assist or AnyDesk to take control of devices, and then exfiltrate data using tools like WinSCP or deliver malware.
  • These attacks have shown a 72% success rate, with activity sharply increasing between 2024 and 2025.

A new and alarming wave of cyberattacks is targeting Microsoft Teams users, employing a dual-pronged strategy that combines overwhelming email bombardments with highly convincing fake IT support outreach. This coordinated campaign aims to trick employees into granting threat actors direct remote access to their systems, leading to potential data exfiltration and further compromise.

Table Of Content

  • Key Takeaways
  • The Anatomy of the Attack
  • How the Attack Unfolds After Access Is Granted
  • What You Should Do

Security researchers indicate that these attacks, which began to proliferate in early 2026, show no signs of abating. Their efficacy lies in exploiting human psychology under duress and leveraging the trust associated with internal communication platforms.

The Anatomy of the Attack

The initial phase of this campaign involves an “email bombing” technique. Victims are inundated with hundreds, sometimes thousands, of unsolicited emails in a short timeframe. This deliberate overload is designed to induce panic and create the impression that the user’s account is experiencing a severe, system-wide issue.

Once the target is disoriented and anxious, a malicious actor, posing as an “IT support specialist,” contacts them via Microsoft Teams. This contact is crafted to appear highly credible, often utilizing professional-sounding names and display details that mimic legitimate IT departments. The impostor appears to be fully aware of the email issues, further cementing their perceived authenticity.

Analysts at eSentire have documented multiple real-world intrusion cases where this exact sequence of events unfolded, culminating in confirmed data exfiltration from the compromised endpoints. The researchers observed that in each instance, the threat actors impersonated internal IT support teams, initiating contact from external Microsoft Teams accounts. These accounts frequently used display names such as “IT Protection Department” or “Windows Security Help Desk.”

The attackers meticulously craft these external Teams tenants and user profiles to appear as official as possible. Instead of generic identifiers like “helpdesk@” or “admin@”, they employ realistic full-name personas, for example, “michaelturner@” or “danielfoster@”, to enhance the illusion of legitimacy.

The success of this campaign largely stems from its ability to blend social engineering with the inherent trust users place in platforms like Microsoft Teams. Employees are accustomed to receiving legitimate IT communications through Teams, making them more susceptible to these sophisticated impersonation attempts. Once a victim accepts the “help” offered by the fake IT specialist, they are prompted to grant remote access using common tools such as Microsoft Quick Assist or AnyDesk. At this critical juncture, the attacker gains full control over the compromised device.

According to eSentire’s 2026 Annual Cyber Threat Report, these attacks boasted an alarming 72% success rate, with a notable increase in activity observed between 2024 and 2025.

Variations of this technique have been attributed to prominent threat groups, including Scattered Spider, Payouts King, and UNC6692. The underlying infrastructure supporting these malicious operations is far from amateur. Many of the illicit Teams messages originate from bulletproof hosting providers such as NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD. The observation of single IP addresses simultaneously targeting multiple organizations underscores the organized and well-resourced nature of these campaigns.

How the Attack Unfolds After Access Is Granted

Once remote access is established, the attackers proceed to execute their objectives, often involving data theft or malware deployment. In several documented instances, threat actors downloaded portable versions of WinSCP directly from its official website. This legitimate file transfer application was then used to covertly exfiltrate sensitive files from the compromised system. By utilizing trusted, legitimate software for malicious purposes, attackers effectively bypass conventional security controls that might flag suspicious executables.

In another incident, attackers leveraged Quick Assist to deliver a malicious ZIP archive named “Email-Deployment-Process-System.zip” to the victim’s machine. This archive contained a Java binary designed to execute a malicious Java application, subsequently leading to data theft. This layered approach highlights the attackers’ sophistication: they gain initial access through trusted remote tools and then deliver malware using seemingly innocuous file names to evade detection during the delivery phase.

What You Should Do

  • Restrict External Communications: Configure Microsoft Teams to block messages and calls from external organizations unless explicitly required for business operations. For necessary external collaborations, limit contacts to verified and trusted partners.
  • Implement External Sender Notifications: Enable external collaboration policies that clearly notify users when they are communicating with someone outside the organization.
  • Block Unauthorized Remote Access Tools: Implement policies to block the use of remote access tools such as Quick Assist, AnyDesk, and ConnectWise unless they are operationally essential and centrally managed.
  • Restrict File Transfer Utilities: Block or restrict the use of unauthorized file transfer applications like WinSCP, RClone, FileZilla, and MegaSync across your network.
  • Conduct Employee Training: Provide comprehensive security awareness training to employees, focusing on recognizing phishing tactics, especially those involving social engineering and impersonation. Emphasize the importance of verifying any unexpected IT support requests through a known, secondary channel (e.g., calling the official helpdesk number, sending a direct email to IT, or logging a ticket through an internal system) rather than responding directly to the suspicious contact.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Microsoft Defender Bug Falsely Flags DigiCert Root Certificates as Malware

Next Post

Critical FreeBSD DHCP Client Bug Lets Attackers Run Code as Root

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us