Microsoft Teams, a globally adopted collaboration platform, has become a prime target for cybercriminals and state-sponsored actors exploiting its messaging, calls, meetings, and screen-sharing features. Threat actors leverage open-source tools (e.g., **TeamFiltration, TeamsEnum, MSFT-Recon-RS**) to enumerate users, tenants, and misconfigurations, enabling reconnaissance and initial access. Social engineering tactics—such as **tech support scams (Storm-1811, Midnight Blizzard), deepfake impersonations, and malvertising (fake Teams installers)**—trick users into granting remote access, deploying ransomware (e.g., **3AM/BlackSuit, DarkGate**), or stealing credentials via **device code phishing (Storm-2372)** and **MFA bypass (Octo Tempest)**. Post-compromise, attackers escalate privileges by abusing **Teams admin roles**, exfiltrate data via **Graph API (GraphRunner) or OneDrive/SharePoint links**, and maintain persistence through **guest user additions, token theft, and malicious Teams apps**. State-sponsored groups like **Peach Sandstorm** and financially motivated actors (**Sangria Tempest, Storm-1674**) exploit cross-tenant trust relationships for lateral movement, while tools like **ConvoC2** and **BRc4** enable C2 over Teams channels. Extortion tactics include **taunting messages to victims (Octo Tempest)** and disrupting operations by targeting high-value data (e.g., **employee/customer PII, patents, or financial records**). The attacks undermine organizational trust, risk **regulatory penalties**, and enable **supply-chain compromises** via federated identities. Microsoft’s mitigations (e.g., **Entra ID Protection, Defender XDR alerts**) highlight the platform’s systemic vulnerabilities, with ransomware and data leaks posing existential threats to targeted entities.
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic5532655100825",
"linkid": "microsoft",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Millions (exact numbers '
'undisclosed)',
'industry': 'Cross-Industry (Technology, Finance, '
'Healthcare, Government, etc.)',
'location': 'Worldwide',
'name': 'Microsoft Teams Users (Global)',
'size': 'All sizes (SMB to Fortune 500)',
'type': 'Enterprise/Organization'}],
'attack_vector': ['Microsoft Teams Chat/Call Impersonation',
'Malicious File/Link Sharing (Teams channels)',
'API Abuse (Microsoft Graph, Entra ID)',
'Device Code Phishing',
'Malvertising (Fake Teams installers)',
'AiTM (Adversary-in-the-Middle) Phishing',
'RMM Tool Deployment (e.g., AnyDesk)',
'Federated Tenant Misconfigurations',
'Legitimate Admin Tools (e.g., AADInternals, PowerShell)'],
'customer_advisories': ['Users should report suspicious Teams activity (e.g., '
'unexpected calls, file shares) via their '
'organization’s security team.',
"Microsoft 365 admins can access the 'Teams Security "
"Guide' in the Microsoft 365 admin center for "
'configuration recommendations.',
'Customers with Defender XDR can run the provided '
'hunting queries to check for indicators of '
'compromise (IoCs).'],
'data_breach': {'data_encryption': 'Partial (some data encrypted in transit, '
'but tokens/credentials exposed)',
'data_exfiltration': ['Via Teams API (GraphRunner, '
'TeamFiltration)',
'Cloud Storage Links '
'(OneDrive/SharePoint)',
'C2 Channels (BRc4, ConvoC2)',
'Email/Chat Forwarding'],
'file_types_exposed': ['Documents (DOCX, XLSX, PPTX)',
'PDFs',
'Images (PNG, JPG)',
'Executables (EXE, DLL, ISO)',
'Scripts (PS1, VBS)',
'Archives (ZIP, RAR)'],
'number_of_records_exposed': 'Undisclosed (varies by '
'incident; potentially thousands '
'per breach)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Job Titles',
'Phone Numbers',
'Authentication Codes '
'(MFA tokens)',
'Corporate '
'Identifiers '
'(Employee IDs)'],
'sensitivity_of_data': 'High (corporate communications, '
'credentials, strategic data)',
'type_of_data_compromised': ['Authentication Tokens (Entra '
'ID)',
'Chat/Message Content',
'Shared Files '
'(OneDrive/SharePoint)',
'User Profiles (Presence, '
'Contacts)',
'AD/Entra ID Metadata (Groups, '
'Roles, Permissions)',
'PII (in some cases)']},
'date_publicly_disclosed': '2025-07-01',
'description': "Threat actors are increasingly abusing Microsoft Teams' "
'collaboration features—including messaging, calls, meetings, '
'and screen-sharing—to conduct reconnaissance, gain initial '
'access, persist, escalate privileges, and exfiltrate data. '
'Techniques include social engineering (e.g., tech support '
'scams, deepfakes), malicious payload delivery (e.g., '
'DarkGate, ReedBed, JSSloader), credential theft (e.g., MFA '
'bypass, token hijacking), and lateral movement via '
'compromised admin accounts or federated trust relationships. '
'State-sponsored and financially motivated actors (e.g., Octo '
'Tempest, Storm-1811, Midnight Blizzard, Peach Sandstorm) '
'leverage open-source tools (e.g., TeamFiltration, ROADtools, '
"AADInternals) and custom malware to exploit Teams' API, Graph "
'integration, and hybrid/cloud misconfigurations. Mitigations '
'include hardening identity protections (e.g., Entra ID risk '
'policies, PIM), securing endpoints, monitoring for anomalous '
'Teams activity (e.g., phishing lures, external access), and '
'deploying Defender XDR detections.',
'impact': {'brand_reputation_impact': 'High (eroded trust in Teams security, '
'media coverage of breaches)',
'customer_complaints': 'Likely (e.g., phishing victims, data '
'breach notifications)',
'data_compromised': ['User Credentials (Entra ID tokens, '
'passwords)',
'Corporate Chat/Message History',
'OneDrive/SharePoint Files',
'Active Directory Snapshots',
'PII (via phishing/exfiltration)',
'Payment Information (in some extortion '
'cases)'],
'downtime': 'Varies (Incident-dependent; some organizations '
'experienced prolonged outages during ransomware '
'attacks)',
'financial_loss': 'High (Ransomware payments, fraud, incident '
'response costs; exact figures undisclosed)',
'identity_theft_risk': 'High (stolen credentials sold on dark web)',
'legal_liabilities': ['GDPR (for EU customer data)',
'CCPA (for California residents)',
'Sector-Specific Regulations (e.g., HIPAA '
'for healthcare)',
'Potential Lawsuits (from affected parties)'],
'operational_impact': ['Disrupted Collaboration (Teams outages, '
'compromised chats)',
'Help Desk Overload (social engineering '
'attacks)',
'Supply Chain Risks (compromised partner '
'tenants)',
'Regulatory Scrutiny (compliance '
'violations)'],
'payment_information_risk': 'Moderate (depends on targeted data)',
'revenue_loss': 'Potentially significant (e.g., ransomware '
'downtime, customer churn, legal penalties)',
'systems_affected': ['Microsoft Teams (Web/Desktop/Mobile Clients)',
'Microsoft Entra ID (Azure AD)',
'Microsoft 365 (Exchange, SharePoint, '
'OneDrive)',
'On-Premises Active Directory (via hybrid '
'sync)',
'Endpoints (via RMM tools, malware)']},
'initial_access_broker': {'backdoors_established': ['Persistent Teams Guest '
'Users',
'RMM Tools (e.g., '
'AnyDesk, ScreenConnect)',
'Scheduled Tasks (e.g., '
'Sticky Keys)',
'OAuth Tokens (Long-Lived '
'Refresh Tokens)',
'Webhooks (for C2 via '
'Teams Messages)'],
'data_sold_on_dark_web': ['Compromised Teams '
'Credentials',
'Entra ID Tokens',
'Corporate Chat Logs',
'OneDrive/SharePoint '
'Access',
'MFA-Bypassed Accounts'],
'entry_point': ['Compromised Teams Accounts (via '
'phishing/credential theft)',
'Legitimate Tenants Purchased on '
'Dark Web',
'Exploited Guest/External Access '
'Misconfigurations',
'Malicious Apps (Spoofed or '
'Repurposed)',
'Federated Trust Relationships '
'(Cross-Tenant Access)'],
'high_value_targets': ['Teams Admins (Global Admin, '
'Teams Service Admin)',
'Executives (for extortion)',
'Finance/HR (for sensitive '
'data)',
'IT Help Desk (for lateral '
'movement)',
'Third-Party Vendors (supply '
'chain attacks)'],
'reconnaissance_period': 'Weeks to months (e.g., '
'Void Blizzard’s Entra ID '
'enumeration before '
'attack)'},
'investigation_status': 'Ongoing (Microsoft and partners continue to track '
'and disrupt Teams-abusing threat actors)',
'lessons_learned': ['Teams is a High-Value Target: Its integration with Entra '
'ID, Graph API, and collaboration features makes it a '
'lucrative attack vector for both commodity and advanced '
'threat actors.',
'Social Engineering Remains Effective: Deepfakes, '
'impersonation (IT help desk, external partners), and '
'urgency-based scams (e.g., email bombing) bypass '
'technical controls.',
'Default Configurations Are Risky: Over-permissive '
'external access, unmonitored API queries, and legacy '
'authentication enable initial access and lateral '
'movement.',
'Open-Source Tools Lower the Barrier: Frameworks like '
'TeamFiltration, AADInternals, and ROADtools democratize '
'Teams exploitation for less-skilled attackers.',
'Hybrid Environments Complicate Security: On-premises AD '
'synced with Entra ID creates seams for attackers to '
'exploit (e.g., Peach Sandstorm’s AD snapshots).',
'MFA Is Not a Silver Bullet: Actors like Octo Tempest '
'bypass MFA via social engineering (e.g., password '
'resets, SIM swapping) or token theft.',
'Third-Party Apps Introduce Risk: Spoofed or malicious '
'Teams apps (even Microsoft-validated ones) can serve as '
'initial access vectors.',
'Detection Gaps Exist: Many Teams-specific attacks (e.g., '
'phishing via Adaptive Cards, C2 over Teams messages) '
'evade traditional email/security tools.',
'Incident Response Must Be Teams-Aware: Logs from Teams, '
'Graph API, and Entra ID are critical for forensics but '
'often underutilized.',
'User Awareness Is Critical: Employees must scrutinize '
'Teams messages/calls as rigorously as emails, especially '
"from 'internal' sources."],
'motivation': ['Financial Gain (Ransomware, Extortion, Fraud)',
'Espionage (State-Sponsored Actors)',
'Credential Harvesting (Initial Access Brokering)',
'Disruption (Operational Sabotage)',
'Data Theft (PII, Corporate Intelligence)'],
'post_incident_analysis': {'corrective_actions': [{'action': 'Implement Zero '
'Trust for Teams',
'details': 'Enforce '
'least-privilege '
'access, verify '
'every request '
'(user/device), '
'and assume '
'breach. Use '
'Entra ID '
'Conditional '
'Access to '
'restrict Teams '
'access by '
'location, '
'device state, '
'and risk '
'level.'},
{'action': 'Harden Teams '
'Configurations',
'details': 'Disable '
'external '
'access by '
'default; '
'require admin '
'approval for '
'guest users; '
'audit Teams '
'apps for '
'excessive '
'permissions; '
'block legacy '
'auth '
'protocols.'},
{'action': 'Enhance '
'Detection for '
'Teams Threats',
'details': 'Enable all '
'Teams-related '
'Defender XDR '
'alerts; create '
'custom hunting '
'queries for '
'Teams API '
'abuse, '
'external file '
'shares, and '
'Adaptive Card '
'phishing; '
'integrate '
'Teams logs '
'with SIEM.'},
{'action': 'Deploy '
'Phishing-Resistant '
'MFA',
'details': 'Replace '
'SMS/email-based '
'MFA with FIDO2 '
'or '
'certificate-based '
'authentication '
'for all users, '
'especially '
'admins. '
'Monitor for '
'MFA fatigue '
'attacks (e.g., '
'repeated push '
'notifications).'},
{'action': 'Segment and '
'Monitor Teams '
'Traffic',
'details': 'Isolate Teams '
'from '
'high-value '
'networks; '
'inspect TLS '
'traffic for C2 '
'(e.g., BRc4 '
'over Teams); '
'block known '
'malicious '
'IPs/domains '
'associated '
'with Teams '
'phishing.'},
{'action': 'Conduct '
'Teams-Specific '
'Red Teaming',
'details': 'Simulate '
'attack chains '
'observed in '
'the wild '
'(e.g., '
'TeamsPhisher + '
'DarkGate, '
'device code '
'phishing) to '
'test defenses '
'and user '
'awareness.'},
{'action': 'Improve User '
'Training',
'details': 'Add '
'Teams-specific '
'scenarios to '
'security '
'awareness '
'programs '
'(e.g., fake '
'help desk '
'calls, '
'malicious file '
'shares). Train '
'users to '
'verify '
'unexpected '
'Teams requests '
'via a '
'secondary '
'channel.'},
{'action': 'Automate '
'Response to '
'Teams Threats',
'details': 'Use Defender '
'XDR automation '
'to quarantine '
'phishing '
'messages, '
'revoke '
'compromised '
'tokens, and '
'isolate '
'affected '
'endpoints. '
'Implement SOAR '
'playbooks for '
'common Teams '
'attack '
'patterns.'},
{'action': 'Audit and '
'Reduce Attack '
'Surface',
'details': 'Remove unused '
'Teams apps; '
'disable '
'unnecessary '
'features '
'(e.g., '
'anonymous '
'meeting '
'joins); review '
'federated '
'tenant trust '
'relationships; '
'retire legacy '
'authentication.'},
{'action': 'Leverage '
'Microsoft’s '
'Built-In '
'Protections',
'details': 'Enable all '
'relevant '
'Defender for '
'Office 365, '
'Defender for '
'Identity, and '
'Defender for '
'Cloud Apps '
'policies for '
'Teams. Use '
'Security '
'Copilot to '
'correlate '
'Teams signals '
'with broader '
'threats.'}],
'root_causes': ['Over-Permissive External Access: '
'Default configurations allowed '
'unauthorized tenant federation '
'and guest access.',
'Lack of Teams-Specific '
'Monitoring: Security tools '
'focused on email/endpoints missed '
'Teams-based attacks (e.g., '
'Adaptive Card phishing).',
'Insufficient Identity '
'Protections: Legacy '
'authentication, weak MFA, and '
'standing privileges enabled '
'credential theft.',
'User Awareness Gaps: Employees '
'trusted Teams messages/calls more '
'than emails, falling for social '
'engineering.',
'Open-Source Tool Abuse: Attackers '
'leveraged public frameworks '
'(e.g., TeamFiltration) to '
'automate reconnaissance and '
'exfiltration.',
'Hybrid Complexity: On-premises AD '
'sync with Entra ID created seams '
'for lateral movement (e.g., Peach '
'Sandstorm’s AD snapshots).',
'Delayed Patching: Unpatched Teams '
'clients or endpoints allowed '
'malware execution (e.g., DarkGate '
'via TeamsPhisher).',
'Third-Party Risk: Compromised '
'partner tenants or spoofed apps '
'provided initial access '
'vectors.']},
'ransomware': {'data_encryption': 'Yes (in ransomware cases; e.g., '
'OneDrive/SharePoint files)',
'data_exfiltration': 'Yes (double extortion tactics)',
'ransom_demanded': 'Varies (e.g., 3AM/Sangria Tempest '
'campaigns; exact amounts undisclosed)',
'ransom_paid': 'Undisclosed (some victims likely paid)',
'ransomware_strain': ['3AM (BlackSuit rebrand)',
'DarkGate',
'ReedBed',
'Sangria Tempest (custom loaders)']},
'recommendations': {'detection_response': ['Enable all Teams-related Defender '
"XDR alerts (e.g., 'Malicious link "
"shared in Teams chat').",
'Create custom hunting queries for '
'Teams threat activity (e.g., '
'external file shares, message '
'deletions).',
'Use Microsoft Security Copilot to '
'correlate Teams signals with '
'broader attack chains.',
'Simulate Teams-specific attacks '
'(e.g., phishing via Adaptive '
'Cards) in red team exercises.',
'Integrate Teams logs with SIEM '
'(e.g., Sentinel) for centralized '
'analysis.'],
'endpoints': ['Apply Microsoft’s hardened Teams client '
'configurations (e.g., disable macros, '
'block unsafe file types).',
'Deploy Defender for Endpoint with '
'Teams-specific detections (e.g., '
'suspicious module loads).',
'Restrict RMM tools (e.g., AnyDesk) to '
'approved IT personnel via application '
'control.',
'Enable attack surface reduction (ASR) '
'rules for Office/Teams processes.'],
'governance': ['Audit Teams app permissions regularly; '
'remove unused or over-privileged apps.',
'Document and test incident response '
'playbooks for Teams-specific scenarios '
'(e.g., token theft, ransomware).',
'Assign ownership for Teams security to a '
'dedicated team (e.g., collaboration '
'security lead).',
'Include Teams in third-party risk '
'assessments (e.g., partner tenant '
'security posture).'],
'identity': ['Enforce Phishing-Resistant MFA (e.g., '
'FIDO2, certificate-based) for all users, '
'especially admins.',
'Deploy Entra ID Protection with high-risk '
'sign-in policies (e.g., block legacy auth, '
'impossible travel).',
'Use Privileged Identity Management (PIM) '
'for just-in-time Teams admin roles.',
'Disable external access by default; '
'whitelist trusted domains for federation.',
'Monitor for anomalous token usage (e.g., '
'device code phishing) with Defender for '
'Identity.'],
'network': ['Segment Teams traffic from high-value assets '
'(e.g., finance, R&D).',
'Monitor for C2 over Teams (e.g., Adaptive '
'Card exfiltration, BRc4 traffic).',
'Block known malicious IPs/domains associated '
'with Teams phishing (e.g., fake installers).',
'Inspect TLS traffic for Teams (via Defender '
'for Cloud Apps or proxy).'],
'teams_configuration': ['Disable anonymous/guest access '
'unless absolutely required; '
'audit existing guests.',
'Limit external sharing in '
'SharePoint/OneDrive linked to '
'Teams.',
'Configure Teams to log all admin '
'activities and API calls '
'(retention ≥ 1 year).',
'Disable presence sharing for '
'external users to prevent '
'reconnaissance.',
'Block auto-forwarding of Teams '
'messages to external emails.'],
'user_awareness': ['Train users to verify Teams '
'calls/messages via a secondary '
'channel (e.g., phone call to known '
'number).',
'Highlight red flags: urgent requests, '
"unsolicited file shares, or 'IT "
"support' asking for credentials.",
'Simulate Teams-based phishing (e.g., '
'fake help desk chats) in security '
'awareness programs.',
'Educate on deepfake risks (e.g., '
'AI-generated voices in Teams '
'calls).']},
'references': [{'date_accessed': '2025-07-01',
'source': "Microsoft Security Blog: 'Defending against "
"attacks that abuse Microsoft Teams'",
'url': 'https://www.microsoft.com/en-us/security/blog/2025/07/01/defending-against-attacks-that-abuse-microsoft-teams/'},
{'date_accessed': '2025-06-30',
'source': 'Microsoft Defender Threat Intelligence: Storm-1811 '
'Campaign',
'url': 'https://threatintelligence.microsoft.com/'},
{'date_accessed': '2024-12-15',
'source': "Trend Micro: 'DarkGate Malware Distributed via "
"TeamsPhisher'",
'url': 'https://www.trendmicro.com/en_us/research/25/d/darkgate-malware-distributed-via-teamphisher.html'},
{'date_accessed': '2024-05-01',
'source': "Sophos: '3AM Ransomware Uses Storm-1811 Tactics'",
'url': 'https://news.sophos.com/en-us/2024/05/01/3am-ransomware-storm-1811-tactics/'},
{'date_accessed': '2024-11-20',
'source': "Hunters: 'VEILdrive Campaign by Sangria Tempest'",
'url': 'https://www.hunters.ai/blog/veildrive-sangria-tempest'},
{'date_accessed': '2025-07-01',
'source': "Microsoft Learn: 'Secure Microsoft Teams'",
'url': 'https://learn.microsoft.com/en-us/microsoftteams/security-teams-overview'},
{'date_accessed': '2025-06-25',
'source': 'Microsoft Defender XDR Hunting Queries for Teams '
'Threats',
'url': 'https://github.com/microsoft/Microsoft-Defender-XDR-Hunting-Queries'}],
'regulatory_compliance': {'fines_imposed': 'Potential (none publicly '
'disclosed yet)',
'legal_actions': 'Possible (e.g., class-action '
'lawsuits for data breaches)',
'regulations_violated': ['GDPR (Article 32 - '
'Security of Processing)',
'CCPA (California Consumer '
'Privacy Act)',
'HIPAA (if healthcare data '
'exposed)',
'GLBA (for financial '
'institutions)',
'Sector-Specific '
'Frameworks (e.g., NIST, '
'ISO 27001)'],
'regulatory_notifications': ['Data Protection '
'Authorities (e.g., '
'ICO for UK)',
'State Attorneys '
'General (for US '
'breaches)',
'Industry Regulators '
'(e.g., SEC for public '
'companies)']},
'response': {'adaptive_behavioral_waf': 'Recommended (Microsoft Defender for '
'Cloud Apps)',
'communication_strategy': ['Internal Advisories (IT teams, '
'executives)',
'Customer Notifications (if data '
'breached)',
'Public Disclosures (for '
'transparency, e.g., Microsoft '
'Security Blog)',
'Regulatory Reporting (as required by '
'law)'],
'containment_measures': ['Isolate Compromised Accounts/Devices',
'Disable External Access (Federation, '
'Guest Users)',
'Revoke Suspicious OAuth Tokens',
'Block Malicious IPs/Domains (Defender '
'for Office 365)',
'Quarantine Phishing Emails/Teams '
'Messages'],
'enhanced_monitoring': ['Defender XDR Alerts (e.g., anomalous '
'Teams logins)',
'Entra ID Risk Policies (impossible '
'travel, leaked credentials)',
'SIEM Integration (Microsoft Sentinel)',
'Teams-Specific Hunting Queries (e.g., '
'external file shares)'],
'incident_response_plan_activated': 'Recommended (Microsoft '
'Defender XDR playbooks, '
'Entra ID Protection)',
'law_enforcement_notified': 'Likely (for state-sponsored or '
'large-scale financial crimes)',
'network_segmentation': 'Critical (Isolate Teams from high-value '
'assets)',
'on_demand_scrubbing_services': 'Available (Microsoft Purview '
'Data Lifecycle Management)',
'recovery_measures': ['Restore Teams Data from Backups (if '
'ransomware)',
'Rebuild Compromised Tenants (in severe '
'cases)',
'User Training (Phishing Simulations, '
'Social Engineering Awareness)',
'Enhanced Logging (Teams Audit Logs, '
'Defender XDR)'],
'remediation_measures': ['Password Resets for Affected Users',
'MFA Re-Enrollment',
'Patch Teams Clients/Endpoints',
'Remove Persistent Backdoors (e.g., '
'Sticky Keys, Startup Tasks)',
'Audit Entra ID Configurations (PIM, '
'Conditional Access)'],
'third_party_assistance': ['Microsoft Detection and Response '
'Team (DART)',
'Microsoft Threat Intelligence Center '
'(MSTIC)',
'Managed Security Service Providers '
'(MSSPs)']},
'stakeholder_advisories': ['Microsoft has issued guidance to customers via '
'the Microsoft Security Response Center (MSRC) and '
'Defender Threat Intelligence.',
'Enterprise admins are advised to review Teams '
'configurations and apply mitigations outlined in '
'the Microsoft Security Blog.',
'Partners (e.g., MSSPs) should prioritize '
'Teams-specific detections in their SOC '
'operations.'],
'threat_actor': [{'association': 'Ransomware, Extortion, MFA Bypass',
'name': 'Octo Tempest',
'type': 'Financially Motivated'},
{'association': 'Tech Support Scams, ReedBed Malware, Email '
'Bombing',
'name': 'Storm-1811',
'type': 'Financially Motivated'},
{'association': 'Credential Theft, Social Engineering',
'name': 'Midnight Blizzard (APT29/Cozy Bear)',
'type': 'State-Sponsored (Russia)'},
{'association': 'TeamsPhisher, DarkGate Malware',
'name': 'Storm-1674',
'type': 'Access Broker'},
{'association': 'Ransomware (3AM/BlackSuit), JSSloader',
'name': 'Sangria Tempest',
'type': 'Financially Motivated'},
{'association': 'Malicious ZIP Files, AD Reconnaissance',
'name': 'Peach Sandstorm (APT33)',
'type': 'State-Sponsored (Iran)'},
{'association': 'Entra ID Enumeration, AzureHound',
'name': 'Void Blizzard',
'type': 'State-Sponsored'},
{'association': 'TeamsPhisher, Custom Malware',
'name': 'Storm-0324',
'type': 'Financially Motivated'},
{'association': 'Device Code Phishing, Token Theft',
'name': 'Storm-2372',
'type': 'Financially Motivated'},
{'association': 'Storm-1811 Techniques, Voice/Video Scams',
'name': '3AM Ransomware (BlackSuit Rebrand)',
'type': 'Ransomware Operator'}],
'title': 'Exploitation of Microsoft Teams for Cyber Attacks and Data Breaches',
'type': ['Social Engineering',
'Phishing',
'Malware Distribution',
'Credential Theft',
'Data Exfiltration',
'Ransomware',
'Supply Chain Attack',
'Insider Threat (via compromised accounts)'],
'vulnerability_exploited': ['Weak Entra ID Configurations (e.g., external '
'access policies)',
'Lack of MFA Enforcement',
'Over-Permissive Guest/External User Access',
'Unmonitored API Queries (Graph, Teams)',
'Default Teams App Permissions',
'Legacy Authentication Protocols',
'Insufficient Privileged Access Controls (e.g., '
'standing admin roles)',
'Unpatched Teams Clients',
'Exposed Presence/Status Data',
'Spoofable Workflow Notifications']}