Hackers Are Impersonating IT Support on Microsoft Teams — What Your Business Needs to Know in 2025

David Pinel Blog, Computer Advice, News

Cybercriminals are becoming increasingly bold — and their latest tactic is catching many businesses off-guard. Recent reports have revealed that hackers are now posing as IT support staff on Microsoft Teams, tricking employees into approving malicious access requests or installing harmful software.

For small and medium businesses, especially those relying heavily on Teams for day-to-day communication, this emerging threat highlights a simple truth:

Your biggest cyber risk isn’t always a technical vulnerability — it’s human trust.

In this post, we break down what’s happening, why these attacks are so effective, and what your business needs to do now to stay protected.

What’s Actually Happening?

Hackers begin by compromising a Microsoft 365 account — often through stolen credentials or breached login details. Once inside, they take advantage of the built-in chat features of Microsoft Teams to contact employees directly.

They pose as:

  • Your internal IT team
  • Your external Managed Service Provider (MSP)
  • A trusted third-party partner
  • A Microsoft technician

A typical message might say:

“Hi, this is IT support. We’re fixing a problem on your account. Please approve the MFA notification you’ll see shortly.”

Or:

“We need to install a critical Teams update. Click the link below.”

Once the user complies, attackers gain access to the network and can quickly escalate their privileges — often aiming to deploy ransomware, steal data, or create persistence within your environment.

Why Teams Impersonation Attacks Are So Effective

This type of social engineering works because it exploits trust, familiarity, and urgency:

1. Employees trust Teams chats far more than emails

Teams feels “internal” — the assumption is that only colleagues can contact you.

2. Real-time messages create pressure

When a message pops up during a busy day, staff naturally want to respond quickly.

3. Remote and hybrid work make verification harder

When you’re not sitting near your IT team, it’s harder to sense something is off.

4. Visual cues look legitimate

A fake profile picture, display name, or “IT Support” label is easy to create — and easy to miss.

Attackers know all of this, and they use it to their advantage.

How These Attacks Typically Work (Step-by-Step)

  1. Steal credentials via phishing emails, dark-web data, or malware.
  2. Log into Microsoft 365 using the stolen account.
  3. Enumerate users to find target roles (finance, HR, administrators).
  4. Send Teams messages disguised as IT support.
  5. Request MFA approval, app permissions, or software installation.
  6. Gain entry into sensitive systems and escalate privileges.
  7. Deploy ransomware or extract data.

During every step, attackers rely on employees being too busy or too trusting to question unusual requests.

Warning Signs Your Staff Should Watch For

Train your team to pause if they notice:

  • A message from someone not normally involved in IT
  • Accounts from external or unfamiliar domains
  • Urgent or threatening requests (“your account will be disabled”)
  • Poor grammar or unusual writing style
  • Profile photos that look generic or newly added
  • Instructions to bypass normal processes (“just approve this quickly for us”)

If anything feels “off,” staff should verify via a separate, known channel.

How to Protect Your Business Today

A. Secure Your Microsoft 365 and Teams Configuration

  • Restrict or disable external access in Teams unless absolutely necessary
  • Require admin approval before third-party apps can be installed
  • Enforce Conditional Access policies for untrusted logins
  • Enable risky-sign-in alerts and advanced authentication monitoring
  • Apply least-privilege permissions for users and admins

B. Train Staff on Social Engineering via Chat

  • Include Teams-based impersonation examples in security awareness training
  • Encourage staff to verify IT requests through email, phone, or ticketing
  • Remind employees: IT will never ask you to approve unexpected MFA requests

C. Strengthen Identity & Access Security

  • Move to phishing-resistant MFA methods (FIDO2 keys, number matching)
  • Require admin approval for high-risk actions
  • Rotate passwords and disable dormant accounts

D. Deploy Advanced Threat Protection

  • Microsoft Defender for Office 365 (Safe Links + Safe Attachments)
  • Defender for Cloud Apps to detect suspicious OAuth permissions
  • Automated investigation & response to catch attacks early

Layered protection significantly reduces the chance that a single mistake will lead to a full compromise.

How We Help Protect Your Business

As an IT support provider, we help organisations secure Teams and Microsoft 365 against emerging threats like impersonation attacks. Our services include:

  • Full Microsoft 365 & Teams security audits
  • Configuration hardening based on Microsoft best practices
  • Continuous monitoring and alerting
  • Staff training and simulated phishing/social-engineering tests
  • Incident response planning and remediation
  • Identity & access management improvements

If you’re unsure how secure your Teams environment is, we can assess it and implement the right protections to keep your data safe.

A Real-World Example Scenario

Imagine someone from “IT Support” messages a finance employee:

“We’re investigating suspicious activity on your account. Approve this MFA prompt so we can verify your identity.”

The employee clicks “Approve.”
The attacker gains entry.
Within minutes, they escalate access and move laterally.
Hours later, critical files begin encrypting — ransomware has taken hold.

Now imagine the same situation with the right safeguards:

  • External impersonation is blocked
  • MFA requests are restricted and logged
  • The employee knows to verify suspicious messages
  • Alerts notice the abnormal login — before damage occurs

A single layer of awareness or configuration can stop an entire attack chain.

Your Action Checklist

✔ Disable or restrict external Teams chat
✔ Enforce strong MFA and number matching
✔ Review Teams admin settings
✔ Train staff monthly
✔ Monitor for suspicious app permissions
✔ Use Defender for Office 365 and cloud monitoring
✔ Harden Microsoft 365 identity & access policies

Conclusion

Hackers are evolving their techniques rapidly, and Microsoft Teams is now a major target. Impersonation attacks are becoming more common because they exploit human trust, not just software vulnerabilities.

But with the right security controls, user awareness, and proactive monitoring, these attacks can be stopped before they start.

If you want support reviewing or securing your Teams environment, we’re here to help.

Book a free Teams Security Checkup today.