Teams Voice Phishing Campaign Exploits Trusted Collaboration Features

How the Attack Works

Threat actors are increasingly exploiting Microsoft Teams’ external collaboration features to launch voice phishing (vishing) attacks that bypass traditional email defenses. The attack begins when an attacker operating from an external or cross tenant Teams account contacts a targeted employee, impersonating internal IT helpdesk staff or an investigator. Using social engineering tactics, the attacker convinces the victim to execute commands, approve remote access, or install legitimate Remote Monitoring and Management tools such as Quick Assist.

Contents

How the Attack Works Forensic Investigation Using Audit Logs

Because the entire interaction occurs within a seemingly trusted collaboration platform rather than email, conventional phishing filters often fail to detect the intrusion. Black Basta ransomware affiliates were among the first documented groups to weaponize this technique at scale, combining Teams impersonation with credential theft tools and persistence mechanisms. Microsoft’s Detection and Response Team documented a sustained campaign built on this approach as early as November 2025, noting that the attack path has been observed across multiple enterprise environments.

Forensic Investigation Using Audit Logs

Security researchers investigating these incidents have identified the CallParticipantDetail operation logged under the MicrosoftTeams workload in the Microsoft 365 Unified Audit Log as a critical forensic artifact. This event records participant identity, connection timestamps, tenant of origin, and whether the participant was federated or external. Researchers caution that the exact schema varies by tenant and ingestion path, so analysts must validate field availability before building automated detection rules.

To reconstruct a complete attack timeline, investigators must correlate CallParticipantDetail with related events including MessageSent and MessageCreatedHasLink, along with endpoint telemetry. Audit records typically surface within 60 to 90 minutes with no guaranteed service level agreement, and default retention is 180 days. One notable challenge is that the ChatCreated event is not a reliable indicator of Teams client activity, so its absence does not confirm that a chat never occurred. For investigations requiring message body content, standard audit log queries are insufficient and additional data sources must be consulted.

Source: Cyber Security News

Teams Voice Phishing Campaign Exploits Trusted Collaboration Features

Attackers are abusing Microsoft Teams external collaboration features to pose as IT helpdesk staff, bypassing email security filters through voice phishing.

How the Attack Works

Forensic Investigation Using Audit Logs

Trending

North Korean APT Targets South Korean Military and Firms with Updated Malware

OpenVPN Connect for macOS Privilege Escalation Flaw Patched

Kernel Flaw in Linux CIFS Subsystem Lets Attackers Escalate to Root

California Attorney General Targets 23andMe Over Massive Genetic Data Breach

Shadow AI Grows Beyond Prompts as Workers Deploy Live Applications Without Security Oversight

Related Stories

Adobe Issues Emergency Patch for ‘SessionReaper,’ One of the Most Severe Magento Flaws Ever

CERT-In Imposes 12 Hour Patching Window for Exposed Systems Due to AI Threats

Global Ransomware Surge to 7831 Incidents Linked to AI Powered Criminal Tools

Active Exploitation of KnowledgeDeliver LMS Flaw Deploys Memory-Only Web Shell