Tech Support Scam Hackers Now Bypassing Security Through Microsoft Teams
By 813 Staff
Industry analysts are weighing in after Tech Support Scam Hackers Now Bypassing Security Through Microsoft Teams, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2047379383430902250
A sophisticated social engineering campaign is actively breaching corporate networks by hijacking Microsoft Teams, using fake IT helpdesk calls to trick employees into granting remote access. According to a report highlighted by @TheHackersNews, threat actors are impersonating internal support staff, initiating Teams voice calls, and convincing targets to install remote management tools that bypass standard security controls.
Internal documents circulating among incident response firms indicate the attackers first obtain employee directories and organizational charts—likely through prior credential theft or publicly available data. They then use Teams’ native calling feature, which does not require the target to accept an external meeting invite, to appear as a legitimate internal caller. The voice pitch is convincing: the attacker claims to be resolving a password reset, a license activation issue, or a critical patch deployment. Once the victim consents to installing a tool like AnyDesk or Splashtop, the attacker gains persistent, unmonitored access to the workstation. From there, lateral movement to sensitive systems is often a matter of minutes.
The rollout of defensive measures has been anything but smooth. Several enterprises have scrambled to restrict Teams external access and enforce caller ID verification, but engineers close to the project say that Microsoft has not yet deployed a blanket detection mechanism for this specific attack pattern. One security researcher who requested anonymity told us that the campaign has been active since at least February 2026, with a marked acceleration in April as attackers refined their scripts and call scripts. The Hacker News report confirms that multiple Fortune 500 firms have been targeted, with at least two confirmed breaches resulting in data exfiltration.
Why this matters: traditional email phishing filters are useless here, because the attack vector bypasses email entirely. Teams’ deep integration into corporate communications means employees trust a voice call from an internal display name far more than a suspicious email. The impact for the reader is immediate—any organization using Teams for internal collaboration is at risk, especially if they have not disabled the ability for external users to initiate direct calls.
What happens next remains uncertain. Microsoft has not yet issued a formal advisory, and the threat actors appear to be pivoting between identities and tenant configurations. Security teams are now racing to implement zero-trust calling policies, but until Teams introduces a mandatory caller authentication prompt, this hole remains open. Expect a patch or guidance within the next two weeks—if the pressure from enterprise customers holds.
Source: https://x.com/TheHackersNews/status/2047379383430902250
