Site navigation

A Fake Microsoft Teams Email Campaign is Targeting Staff

David Paul


microsoft teams email

Cybercriminals are impersonating the platform through a targeted email campaign to steal private login information.

Microsoft employees using Office 356 are being targeted by a sophisticated email phishing campaign attempting to steal their credentials.

Emails have so far been detected in between 15,000 to 50,000 inboxes and use an automated message pretending to be a notification from Microsoft Teams.

The cyber threat was discovered by researchers at cybersecurity firm Abnormal Security, who said that the attack impersonates an automated message from Microsoft Teams to steal the recipient’s login credentials.

Describing how the attack works, researchers wrote in a blog post: “The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams. It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’. However, this leads to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’. Clicking on any of these leads to a fake website that is impersonating the Microsoft login page.

“The phishing page asks the recipient to enter their email and password.”

Researchers said that if a user was to enter details and fall victim to the attack, “their login credentials, as well as any other information stored on their account, will be compromised”.

Due to the popularity of the Microsoft Teams service, recipients of such a notification may be more likely to click on the links to respond to the message quickly, the researchers said.

Microsoft Teams is a communication tool used all around the world, particularly for office employees who now must work from home.

User numbers for the platform have increased exponentially since the Covid-19 lockdown began, seeing an almost double increase from 32 million on March 12, 2019, to 75 million as of April 30, 2020.


The platform has also been hit previously with a similar attack back in May, at the height of the first wave of the coronavirus pandemic.

Researchers from Abnormal Security discovered campaign where scammers sent emails impersonating Microsoft Teams notifications. Abnormal said attackers “utilize numerous URL redirects” to conceal the real URL used that hosts the attacks.

“This tactic is employed in an attempt to bypass malicious link detection used by email protection services,” they said.

Microsoft has already fallen victim to problems with its platforms within the last few months, with the announcement of disruption to cloud services being affected in last month (September 2020).

Users of services including Exchange, Sharepoint, OneDrive and Azure, were told that a ‘transient error’ had stopped them logging in.

David Paul

Staff Writer, DIGIT

Latest News

%d bloggers like this: