A rapidly expanding wave of vishing (voice phishing) campaigns is abusing Microsoft Teams’ external collaboration features to impersonate IT helpdesk personnel and gain unauthorized remote access to enterprise systems. The technique bypasses traditional email security defenses entirely — because the attack happens inside a trusted collaboration platform, not an inbox.
How the Attack Works
The attack begins when a threat actor operating from an external or cross-tenant Teams account initiates an unsolicited call or message to a targeted employee, presenting as internal IT support or a security investigator. Using social engineering, the attacker convinces the victim to execute attacker-provided commands, approve remote access sessions, or install Remote Monitoring and Management (RMM) tooling such as Microsoft Quick Assist.
Because the interaction occurs within Teams — a platform employees implicitly trust — traditional phishing defenses (email gateways, URL sandboxes, attachment scanners) fail to detect it. The attack exploits the conditioned trust employees place in their own collaboration tools.
Black Basta Ransomware Pioneered This Technique
Microsoft’s Detection and Response Team (DART) documented the first major persistent Teams vishing campaign in November 2025. Black Basta ransomware affiliates were among the first to weaponize this technique at scale in 2024, combining Teams impersonation with credential theft via EvilProxy and SystemBC persistence tools. Since then, the technique has been adopted widely across the criminal ecosystem.
The low technical barrier to entry — any attacker with access to a Microsoft 365 tenant can initiate cross-tenant Teams calls — has accelerated adoption across multiple threat actor groups, making this a well-established attack vector rather than a novel curiosity.
Forensic Investigation: The Microsoft 365 Audit Log
Security researcher Maurice Fielenbach highlights the CallParticipantDetail operation logged under the MicrosoftTeams workload in the UAL as a pivotal forensic artifact. This event records participant identity, tenant of origin, timestamps, and external federation indicators — critical data for reconstructing attack timelines.
Key investigation considerations:
- Correlate with
MessageSent,MessageCreatedHasLink, and endpoint telemetry for a full kill-chain view ChatCreatedis unreliable — its absence does not mean no chat occurred- Audit records appear 60–90 minutes after events; default retention is 180 days
- For message body content, use Microsoft eDiscovery — standard UAL queries are insufficient
- Validate
TeamsImpersonationDetectedandSecurityRiskInCallDetectedevent availability in your specific tenant configuration
Defensive Measures
- Restrict external Teams federation — Block federation from unknown tenants; whitelist only verified business partners with documented need
- Flag unsolicited external contacts — Any external Teams call followed by URL sharing, Quick Assist requests, or script execution should trigger immediate investigation and out-of-band verification
- Build UAL detection rules — Use
Search-UnifiedAuditLog -RecordType MicrosoftTeamscombined with endpoint telemetry for correlation - Block Quick Assist where unnecessary — Restrict RMM tools to verified IT staff workflows with MFA-enforced authentication
- Out-of-band verification policy — Require all employees to confirm IT support requests via an internal ticketing system or known direct phone number before granting any remote access
- Security awareness training — Teach staff that legitimate IT support will never initiate unsolicited Teams calls requesting remote access or credentials
The Takeaway
As Teams becomes the primary communications channel for hybrid workforces, the attack surface it represents grows proportionally. Organizations that have not reviewed their external access policies, built detection rules for anomalous cross-tenant communication, or trained staff on vishing tactics are exposed to an attack vector actively being exploited by ransomware groups and well-resourced threat actors today. The time to close this gap is now — before it becomes an incident.