In early 2025, reports revealed that Russian state-linked hackers abused Microsoft Teams’ external access feature to impersonate IT support staff.
Microsoft Teams External Access Abuse
Permissive Teams settings exploited to impersonate IT support and steal credentials.
What is the attack?
By exploiting the platform’s default configuration which allows external users to contact internal employees attackers posed as trusted IT personnel. They initiated voice and video calls to trick employees into sharing credentials or installing malicious software.
This technique bypassed traditional email-based defenses and leveraged the trust inherent in collaboration platforms.
Why did it get through?
The incident stemmed from misconfigured or overly permissive external access settings in Microsoft Teams.
Default policies allowed external domains and unknown identities to contact employees without prior validation.
Many organizations use managed IT service providers, making inbound IT-related Teams calls appear plausible.
The combination of weak external restrictions, high trust in IT staff impersonation, and lack of real-time verification enabled attackers to socially engineer employees successfully.
What is required to solve for this attack?
SaaS Posture Recommendation: Ensure ‘external access’ is restricted in the Teams admin center.
This setting can be evaluated using Abnormal's Security Posture Management solution.