Threat actors are increasingly shifting from traditional email phishing to chat-based social engineering using collaboration tools like Microsoft Teams. Well-known groups such as Cloaked Ursa (APT29) and UNC6692 have been observed impersonating IT helpdesk staff to manipulate employees into approving MFA prompts or visiting credential harvesting sites. These attacks exploit the high level of trust users place in internal communication platforms and the often-permissive default settings for external federation.
To mitigate these risks, organizations should harden their Microsoft Teams configurations by restricting communication from unmanaged personal accounts and implementing strict "Allow lists" for federated domains. Beyond technical controls, it is crucial to evolve user awareness training to include scenarios specific to chat-based threats, such as unsolicited IT support requests. Combining these measures with identity-centric protections like Conditional Access and Privileged Identity Management can significantly reduce the attack surface and prevent account compromise.
Top comments (0)