VYPR
researchPublished May 29, 2026· Updated Jun 8, 2026· 3 sources

Black Basta and Other Threat Actors Weaponize Microsoft Teams for Vishing Attacks

Threat actors, including Black Basta ransomware affiliates, are exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk staff and trick victims into granting remote access.

A growing wave of vishing (voice phishing) campaigns is abusing Microsoft Teams' external collaboration features to bypass traditional email-based defenses. Threat actors, including affiliates of the Black Basta ransomware group, initiate unsolicited calls or messages from cross-tenant Teams accounts, posing as internal IT support personnel. Using social engineering, they convince victims to execute commands, approve remote access sessions, or install Remote Monitoring and Management (RMM) tools such as Quick Assist. Because the interaction occurs within a trusted enterprise collaboration platform rather than email, many organizations' phishing filters fail to intercept the intrusion.

Microsoft's Detection and Response Team (DART) has documented this technique in active campaigns since at least November 2025, observing the attack across multiple enterprise environments. Black Basta affiliates were among the first to weaponize this approach at scale in 2024, combining Teams impersonation with credential theft via EvilProxy and SystemBC persistence tools. The attack chain typically involves the attacker gaining initial foothold through email or other means, then leveraging Teams to deepen their access and move laterally.

Security researcher Maurice Fielenbach, currently investigating multiple active incidents, has highlighted the CallParticipantDetail operation logged under the MicrosoftTeams workload in the Microsoft 365 Unified Audit Log (UAL) as a critical forensic artifact. This event records participant identity, join and leave timestamps, connection metadata, tenant of origin, and federated or external indicators. However, the precise schema varies by tenant and ingestion path, meaning analysts must validate field availability before building automated detections.

Fielenbach cautions that ChatCreated is not a reliable Teams-client signal; its absence does not confirm that a chat never occurred. Audit records typically surface within 60 to 90 minutes with no guaranteed SLA, and default retention is 180 days. To reconstruct a complete attack timeline, investigators must correlate CallParticipantDetail with related events including MessageSent, MessageCreatedHasLink, and endpoint telemetry. For investigations requiring message body content, standard UAL queries are insufficient — Microsoft eDiscovery and Content Search workflows are required.

Defensive measures recommended by Microsoft and researchers include restricting external Teams federation to only users or groups with a documented business need. Security teams should triage first-contact external activity — treating any unsolicited external Teams call or message, especially when followed by URL sharing, Quick Assist launch, or script execution, as a potential vishing indicator. Other mitigations include blocking Quick Assist where unnecessary, enforcing out-of-band verification for all IT support requests, and monitoring enrichment signals such as TeamsImpersonationDetected and SecurityRiskInCallDetected events.

The exploitation of Teams for vishing represents a significant evolution in social engineering tactics, as attackers move beyond email to target the collaboration platforms that have become central to hybrid work. Organizations that have invested heavily in email security may overlook the Teams attack surface, leaving a critical gap in their defenses. The UAL's CallParticipantDetail log is emerging as a foundational evidence source in incident response, provided analysts understand its limitations and validate field schemas before operationalizing it in detection pipelines.

This new report details a specific campaign leveraging Microsoft Teams for social engineering and Windows Quick Assist to gain initial access, followed by the deployment of Nimbus RAT. The malware utilizes Google Drive and Sheets for command-and-control, blending traffic with legitimate cloud activity and making detection significantly harder than previously reported.

This Unit 42 report details how threat actors are increasingly leveraging Microsoft Teams for phishing and social engineering, moving beyond traditional email-based attacks. The article highlights specific tactics such as impersonating IT support to trick users into approving MFA prompts or clicking malicious links, and notes that phishing alerts from collaboration tools now represent 42% of all phishing alerts in their telemetry. It also provides guidance on hardening Teams against external abuse through user awareness training and strict configuration controls.

Synthesized by Vypr AI