Rapid7 Guidance On Observed Microsoft Teams Phishing Campaigns
Rapid7, Monday, March 16th, 2026
The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams.
The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network.
Social engineering via IT Support impersonation is not a new threat, but the recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter. While a cautious user might notice an "External" tag on the chat, the inherent trust placed in collaboration tools often overrides standard security instincts, granting TAs a direct, high-trust channel to your end users.