Black Basta and Other Threat Actors Weaponize Microsoft Teams for Vishing Attacks
Threat actors, including Black Basta ransomware affiliates, are exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk staff and trick victims into granting remote access.
A growing wave of vishing (voice phishing) campaigns is abusing Microsoft Teams' external collaboration features to bypass traditional email-based defenses. Threat actors, including affiliates of the Black Basta ransomware group, initiate unsolicited calls or messages from cross-tenant Teams accounts, posing as internal IT support personnel. Using social engineering, they convince victims to execute commands, approve remote access sessions, or install Remote Monitoring and Management (RMM) tools such as Quick Assist. Because the interaction occurs within a trusted enterprise collaboration platform rather than email, many organizations' phishing filters fail to intercept the intrusion.
Microsoft's Detection and Response Team (DART) has documented this technique in active campaigns since at least November 2025, observing the attack across multiple enterprise environments. Black Basta affiliates were among the first to weaponize this approach at scale in 2024, combining Teams impersonation with credential theft via EvilProxy and SystemBC persistence tools. The attack chain typically involves the attacker gaining initial foothold through email or other means, then leveraging Teams to deepen their access and move laterally.
Security researcher Maurice Fielenbach, currently investigating multiple active incidents, has highlighted the CallParticipantDetail operation logged under the MicrosoftTeams workload in the Microsoft 365 Unified Audit Log (UAL) as a critical forensic artifact. This event records participant identity, join and leave timestamps, connection metadata, tenant of origin, and federated or external indicators. However, the precise schema varies by tenant and ingestion path, meaning analysts must validate field availability before building automated detections.
Fielenbach cautions that ChatCreated is not a reliable Teams-client signal; its absence does not confirm that a chat never occurred. Audit records typically surface within 60 to 90 minutes with no guaranteed SLA, and default retention is 180 days. To reconstruct a complete attack timeline, investigators must correlate CallParticipantDetail with related events including MessageSent, MessageCreatedHasLink, and endpoint telemetry. For investigations requiring message body content, standard UAL queries are insufficient — Microsoft eDiscovery and Content Search workflows are required.
Defensive measures recommended by Microsoft and researchers include restricting external Teams federation to only users or groups with a documented business need. Security teams should triage first-contact external activity — treating any unsolicited external Teams call or message, especially when followed by URL sharing, Quick Assist launch, or script execution, as a potential vishing indicator. Other mitigations include blocking Quick Assist where unnecessary, enforcing out-of-band verification for all IT support requests, and monitoring enrichment signals such as TeamsImpersonationDetected and SecurityRiskInCallDetected events.
The exploitation of Teams for vishing represents a significant evolution in social engineering tactics, as attackers move beyond email to target the collaboration platforms that have become central to hybrid work. Organizations that have invested heavily in email security may overlook the Teams attack surface, leaving a critical gap in their defenses. The UAL's CallParticipantDetail log is emerging as a foundational evidence source in incident response, provided analysts understand its limitations and validate field schemas before operationalizing it in detection pipelines.