A new tactic is turning trusted collaboration tools into delivery channels for malicious links and impersonation attempts.
The threat is coming from inside the organization
Microsoft Teams has become a core communication platform for businesses, replacing much of what used to take place over email. But attackers are now using this trust to their advantage—sending phishing links and malicious files from inside Teams itself.
In these attacks, cybercriminals gain access to a legitimate Microsoft 365 account—often through credential theft or infostealer malware—and then use that account to message coworkers through Teams. Because the message comes from a trusted internal user, the link is often clicked without hesitation.
Why these attacks are harder to detect
Unlike email, Teams messages are not subject to the same filtering or inspection by traditional security gateways. Most organizations trust internal Teams traffic by default. That makes it easier for attackers to deliver malicious payloads or redirect users to fake login pages without triggering alerts.
These messages are often simple: “Can you review this doc?” or “Is this invoice correct?” They rely on speed, familiarity, and the casual tone of chat communication to lower defenses.
What businesses can do right now
Start by treating Micrisoft Teams as an extension of your threat surface. If your organization uses Microsoft 365, verify that Teams is included in your security monitoring stack and that audit logging is enabled.
Security policies should be updated to include messaging platforms—not just email. Users should be trained to question unexpected links or file shares, even if they come from colleagues. Where possible, use conditional access policies to limit risky login behavior, and enable multifactor authentication across all accounts.
While Teams offers productivity benefits, it also creates a pathway for lateral movement once an attacker is inside your environment. Treating chat traffic as inherently trustworthy is no longer a safe assumption.