Microsoft Teams Impersonation

In this attack, an impersonated Microsoft Teams email is used to deliver a phishing campaign.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Phishing

What was the attack?

Setup: This attack impersonates an automated message from Microsoft Teams in order to steal recipient’s login credentials. Microsoft Teams is a popular communication tool, particularly during the pandemic, making it an attractive brand for attackers to impersonate.

Email Attack: The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams. It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’. However, this leads to a phishing page. 

Payload: Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’. Clicking on any of these leads to a fake website that is impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password. 

Result: Should recipients fall victim to this attack, their login credentials as well as any other information stored on their account will be compromised.

Why is this attack effective?


Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification.

Convincing email and landing page

The email pretends to be a Microsoft Teams notification email notifying the recipient that they have received messages and their teammates are trying to reach them. The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.

Spoofed email

The attacker spoofed employee emails and also impersonated Microsoft Teams. The recipient is more likely to fall prey to an attack when it is believed to originate from within the company and also from a trusted brand.

Related content