Email bombing campaigns combined with fake IT support outreach are driving a surge in sophisticated Microsoft Teams phishing attacks.
The attacks typically begin with email bombing, where victims are flooded with spam messages to create confusion and urgency.
Shortly after, threat actors initiate contact via Microsoft Teams, impersonating internal IT support or helpdesk personnel. Posing as legitimate staff, they offer assistance to “resolve” the email issue, guiding users to launch remote access tools such as Quick Assist or AnyDesk.
Once access is granted, attackers move quickly to establish control. In multiple incidents investigated by eSentire, threat actors downloaded portable versions of WinSCP to exfiltrate sensitive data.
Since early 2026, eSentire has observed an increase in Microsoft Teams-based phishing, where threat actors impersonate IT Support and Helpdesk teams.
In other cases, they deployed malicious payloads, including a ZIP archive named “Email-Deployment-Process-System.zip,” which contained a Java-based backdoor used for further compromise and data exfiltration.
Infrastructure and Attribution Patterns
eSentire identified consistent infrastructure patterns across these campaigns. Malicious Microsoft Teams messages frequently originate from bulletproof hosting providers such as NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD.
Notably, single IP addresses have been observed targeting multiple organizations simultaneously, suggesting coordinated operations.
Threat actors rely on two primary domain strategies:
- Newly created .onmicrosoft.com tenants with IT-themed names like “Windows Security Help Desk.”
- Disposable domains using the .top TLD.
A shift in social engineering tactics has also emerged. Instead of generic accounts like helpdesk@, attackers now use realistic English names (e.g., michaelturner@) combined with IT-related branding to enhance credibility.
Techniques with previously documented playbooks used by groups such as Scattered Spider, Payouts King, and UNC6692, all known for leveraging social engineering and remote management tools for initial access.
eSentire has implemented multiple defensive measures across its MDR platform:
- Blocking malicious IPs through its Global Block List.
- Adding indicators of compromise (IoCs) to its Threat Intelligence Feed.
- Detecting suspicious external Teams messages via MDR for Log.
- Identifying endpoint activity such as domain reconnaissance, application control bypass, and ransomware deployment.
- Introducing specific detections for WinSCP abuse.
The TRU also highlighted the growing role of voice phishing (vishing) in facilitating remote monitoring and management (RMM) tool abuse in its March 2026 intelligence briefing.
Mitigations
Organizations are urged to tighten collaboration and remote access controls to reduce exposure:
- Restrict Microsoft Teams communication with external organizations unless explicitly required.
- Allow interactions only with trusted partners and enable external sender warnings.
- Limit the use of remote access tools (e.g., Quick Assist, AnyDesk, ConnectWise).
- Restrict file transfer utilities such as WinSCP, RClone, and FileZilla unless necessary.
- Ensure Office 365 audit logs are ingested and monitored.
- Conduct user awareness training focused on social engineering and impersonation attacks.
- Establish verification procedures for IT requests using trusted internal channels.
These Microsoft Teams phishing campaigns highlight a broader shift toward abusing trusted enterprise platforms for initial access.
By combining email bombing, impersonation, and remote access abuse, attackers bypass traditional security controls and exploit human trust making user awareness and layered detection critical defenses.
As threat actors continue refining their tactics, organizations must adapt quickly to secure collaboration environments that have become central to modern business operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
