A wave of sophisticated cyberattacks targeting enterprise employees is combining email flooding with impersonation of IT support staff on Microsoft Teams, tricking victims into handing over remote access to their own devices. Security researchers at eSentire have confirmed multiple real-world intrusion cases in which this technique led to verified data exfiltration — and the trend is accelerating sharply in 2026.
The Two-Stage Attack: Email Bombing Meets Teams Impersonation
The attack begins before the victim ever receives a Teams message. Threat actors first flood the target’s inbox with hundreds or thousands of unsolicited emails in a short window — a technique known as email bombing. The sudden deluge creates panic: recipients worry their account has been compromised, their email address has been exposed, or that something has gone seriously wrong with their systems.
At peak anxiety, an apparent IT support agent reaches out via Microsoft Teams. The account looks professional: it uses a realistic full-name persona (such as michael.turner or daniel.foster) rather than a generic handle like helpdesk, and the display name typically reads something like “IT Protection Department” or “Windows Security Help Desk.” These external accounts are purpose-built using freshly created Microsoft 365 tenants specifically designed to mimic an organisation’s internal IT team.
What makes this campaign especially effective is the platform itself. Employees use Microsoft Teams daily and are conditioned to trust IT communications delivered through it. The attackers exploit that ingrained trust directly, using the platform’s familiarity as a weapon.
Remote Access: The Critical Turning Point
Once the fake IT agent has established contact and earned enough trust, the victim is asked to share their screen or install a remote access tool — typically Quick Assist (built into Windows) or a third-party tool like AnyDesk. From that point, the attacker has full interactive control of the endpoint.
In multiple confirmed incidents, attackers leveraged this access to:
- Download and run WinSCP directly from its official website to quietly exfiltrate files — using a trusted, legitimate application to avoid triggering security alerts
- Deliver a malicious ZIP file named
Email-Deployment-Process-System.zipcontaining a Java binary that executed a malicious Java application followed by data theft - Move laterally through the network using the compromised endpoint as an initial foothold
Using legitimate tools like WinSCP for exfiltration is a deliberate anti-detection strategy. Standard security controls are far less likely to flag activity from a well-known file transfer application than from an unknown binary.
Who Is Behind These Attacks?
According to eSentire’s 2026 Annual Cyber Threat Report, this attack pattern carried a 72% success rate across observed engagements, with activity increasing sharply between 2024 and 2025. Several threat groups have been linked to variations of this technique, including Scattered Spider, Payouts King, and UNC6692.
The infrastructure powering these attacks is far from improvised. Malicious Teams messages have been traced to bulletproof hosting providers including NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD. Researchers observed single IP addresses targeting multiple organisations simultaneously, indicating organised, infrastructure-backed operations rather than isolated incidents.
How to Defend Against This Threat
Organisations can take several concrete steps to reduce exposure to this attack vector:
- Restrict external Teams contacts: Configure Microsoft Teams to block or require approval for messages and calls from external tenants, unless business requirements demand otherwise. This is the single most impactful control available.
- Disable or restrict Quick Assist: If remote support tools are not routinely used by your IT team, consider disabling Quick Assist via Group Policy to eliminate this attack vector entirely.
- Employee awareness training: Educate staff to be highly suspicious of unsolicited IT support contacts, particularly those that follow a sudden inbox flood. Legitimate IT teams rarely initiate contact this way.
- Monitor for remote access tool usage: Alert on unusual invocations of Quick Assist, AnyDesk, or other remote access tools, especially outside business hours or from accounts with no history of such use.
- Email rate-limiting and anti-spam: Implement controls to detect and contain email bombing before it can be used to prime the victim for the social engineering stage.
The combination of email bombing and Teams impersonation represents a maturation of business email compromise tactics into the unified communications space. As organisations invest in platforms like Teams for internal collaboration, attackers are following them there. Defending this vector requires both technical controls and a workforce that is sceptical of unsolicited “help” — regardless of how official it appears.