Voice Phishing via Fake Microsoft Teams Support Call Compromises Enterprise Accounts
What Happened — Attackers posed as Microsoft Teams support agents, used a legitimate‑looking Teams call to convince users to share credentials and install remote‑access tools, resulting in full account takeover.
Why It Matters for TPRM —
- Social‑engineering attacks can bypass technical controls on any SaaS collaboration platform.
- Compromise of a single privileged user can expose internal communications, files, and downstream services.
- Vendors that provide remote‑support or help‑desk services become an indirect attack surface for their customers.
Who Is Affected — Enterprises across all sectors that rely on Microsoft Teams for voice/video collaboration, especially those with privileged admin accounts.
Recommended Actions —
- Re‑educate users on verified support channels and the prohibition of credential sharing.
- Enforce MFA for all Teams admin accounts and require conditional access policies for remote‑access tools.
- Review third‑party support contracts and ensure they include strict authentication procedures.
Technical Notes — The intrusion leveraged a voice‑phishing (vishing) scenario, not a software vulnerability. Attackers used social engineering to obtain valid credentials, then deployed legitimate remote‑desktop utilities to maintain persistence. No CVE was involved; the data exfiltrated included internal chat logs, meeting recordings, and shared files. Source: Microsoft Security Blog