Microsoft 365 tools like Outlook, Teams, and SharePoint are essential for day-to-day work. Unfortunately, attackers know that too—and they’re increasingly using these same familiar tools to trick employees into granting access.
There have been reports of these attacks over the last few months, and within the last day, 2 of our BKS clients have reported their own incidents. If you believe you are being targeted, it is critical that you contact BKS or another trusted IT Solutions company immediately.
What’s Happening With This Attack?
These threat actor groups are abusing Microsoft 365 and Microsoft Teams to break into organizations, with the likely goals of stealing data and deploying ransomware. These aren’t “old-school” phishing emails you can spot from a mile away. These attacks combine pressure, confusion, and believable “tech support” outreach inside Teams—which can make them feel legitimate in the moment.
How the Attack Works
1) Email bombing: flooding inboxes to create urgency
Attackers send a massive volume of spam—sometimes thousands of emails in under an hour—to overwhelm one or more employees’ mailboxes. This creates stress and a sense that something is “breaking” that needs immediate IT help.
2) A Teams message or call from “IT support”
While the inbox flood is happening, an employee may receive a Teams chat, voice call, or video call from someone claiming to be help desk or technical support. In some cases, attackers are even using advanced titles to create urgency – names such as “Help Desk Manager.”
Because it’s happening inside Teams, it can feel more credible than a random email or phone call—especially for organizations that use third-party or outsourced IT support.
3) Remote access through legitimate Microsoft tools
The attacker then asks the employee to allow remote control using built-in tools such as:
- Teams screen sharing / built-in remote control, or
- Microsoft Quick Assist
If an employee approves that request, the attacker can take “hands-on” control and begin installing malware or changing settings—fast.
4) Malware, credential theft, and ransomware preparation
Once inside, attackers may:
- Install malicious software (malware)
- Steal usernames/passwords and other credentials
- Explore network resources and connected devices
- Establish persistence so they can come back later
- Exfiltrate (steal) sensitive data
- In some cases, deploy ransomware
It is most likely that these campaigns are tied to data theft and ransomware extortion.
Why This is Spreading: A Common Teams Default
In many cases, these threat actors are taking advantage of a configuration issue: some Microsoft Teams environments allow external domains to initiate chats or meetings with internal users by default.
That means an attacker doesn’t necessarily need to “break” Teams—they may just need to message your users from the outside in a way that looks routine.
What to Watch for In Your Organization
Gut instinct still matters, but today it’s stronger when backed by insight. With data analytics platforms to track performance, understand customer behavior, and spot trends early, small business owners have more visibility into what’s happening. This clarity supports faster, more precise decision-making.
If Something Feels Off, Call Us Immediately
If you notice any of the signs above—or if an employee has already interacted with a suspicious Teams message/call—don’t wait. Fast response can be the difference between a contained event and a major incident.
Business Knowledge Systems (BKS) is here to help with IT support, cybersecurity protection, and compliance guidance. Call us with questions or if you have any indication that you may be under attack.
