Impersonation Attacks Targeting Microsoft Teams

With initial security concerns surrounding Zoom, and Google Meets not publicly available (this is now free and has reported 50 million installs on the Play Store), Microsoft Teams emerged as one of the most popular collaboration tools used by organizations during the COVID-19 pandemic. Microsoft reported an increase from 32 million daily active users to 44 million in a one-week timespan in March and a new daily record of 2.7 billion meeting minutes in their April usage blog, a 200% increase from the early stages of the pandemic in mid-March. 

As with any popular software with a large user base, Teams quickly became a prime target for cyber criminals who continue to attack vulnerabilities due to the changes in how and where we work during the pandemic. Threatpost reports that two attacks have targeted nearly 50,000 different Teams users attempting to steal employee credentials through impersonation campaigns. The attack strategy itself has been around for some time and follows the simple steps of sending an impersonation email with a malicious link to a fake landing page built to capture credentials or download malware. So if we are aware of these types of attacks, why do they continue to happen? The answer is simple, they work. Unlike most phishing campaigns that can easily be spotted (yes, the Nigerian prince still needs our help), these campaigns are built around strategic timing, carefully crafted landing pages and urgency.

Teams users are now used to receiving email notifications about being added to a team or with meeting links, and the landing pages look identical to the legitimate pages with imagery copied directly from Microsoft. When comparing legitimate and fraudulent sites, the differences can sometimes be near impossible to find. In addition to mimicking visuals (i.e. fonts, buttons, colors), these attacks may use multiple URL redirects to bypass email security software. Add in the use of fraudulent domains for the pages and sender addresses, and you can see how even the best employees may fall for the attack. The risk is multiplied when you take into consideration that stolen credentials for Teams can lead to a larger breach of the other Office 365 apps used by your end users and organization.

In an effort to raise awareness of potential security concern surrounding Office 365, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Office 365 Remote Work-Deployments in April and an analysis report in May on Microsoft Office 365 Security Observations with an overview of common vulnerabilities and best practices, including multi-factor authentication and enabling alerting capabilities.

Impersonation campaigns such as this are just one of the security threats facing remote workers today. To learn more about other critical considerations and best practices to keeping a disparate workforce and your data secure, download our Securing a Remote Workforce whitepaper or contact our team at [email protected].

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services, including Office 365 security assessments, penetration testing, intrusion prevention/detection review, vulnerability assessments and a robust digital forensics and incident response team, who are available around-the-clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident. Learn more at

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Buyer Beware: Five Common Holiday Scams of 2022
New Phishing Scam Targets Verified Twitter Accounts
Cybersecurity Awareness Month is Over… Now What?
The Latest on the CommonSpirit Health Ransomware Attack
Former Uber CSO Joe Sullivan Found Guilty of Obstruction of Justice and Misprision
Hackers Leak 500GB Stolen Data from LAUSD Ransomware Attack
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.