Phishing & Social Engineering
What Is Teams/Slack Phishing?
Teams/Slack phishing is a social engineering attack that exploits Microsoft Teams and Slack messaging platforms to deliver phishing payloads, steal credentials, or initiate broader multi-stage attacks.
Teams/Slack phishing is a social engineering attack that exploits Microsoft Teams and Slack messaging platforms to deliver phishing payloads, steal credentials, or initiate broader multi-stage attacks. Unlike email-based phishing, these attacks leverage the inherent trust employees place in internal communication tools, where authentication appears legitimate and messages blend into normal workplace chatter. Attackers use platform-native features (guest invitations, direct messaging, meeting invites) to bypass email-based security controls and appear as trusted colleagues or external partners. Organizations have invested heavily in email security but typically lack equivalent detection and prevention systems for collaboration platforms, creating a blind spot that attackers actively exploit.
How does Teams/Slack phishing work?
Teams/Slack phishing operates through multiple attack vectors that exploit platform features and human psychology.
Device code phishing on Teams. Threat actors including Storm-2372 trick users into authorizing malicious applications via legitimate OAuth 2.0 device code authentication flows. Users receive phishing messages directing them to a malicious website where they enter a device code at a legitimate Microsoft login portal. By completing this step, they unknowingly grant the attacker's application access to their Microsoft 365 environment, enabling credential theft, email access, and lateral movement.
Fake team invitations and guest access exploitation. Attackers send legitimate-appearing Teams guest invitation emails to external email addresses. Over 12,000 malicious emails were sent using legitimate Microsoft Teams guest invitation features impersonating billing alerts. These attacks exploit Teams' "Chat with Anyone" feature, where external users can send direct messages via email addresses without prior acceptance. This feature bypasses standard Teams invite controls, allowing attackers to message target users outside normal organizational approval workflows.
Teams impersonation and spoofing vulnerabilities. Check Point Research discovered four critical vulnerabilities in Teams that enable sophisticated attacks. Message editing without trace: Attackers reuse the original clientmessageid parameter to modify sent messages without the standard "Edited" label, allowing them to alter previous messages after victims read them. Notification spoofing: The imdisplayname parameter manipulates sender information in notifications, making messages appear from executives or trusted personnel. Private chat display name manipulation: Attackers modify conversation topics via API endpoints to alter how private chats appear to participants. Call identity forgery: The displayName parameter in call requests allows false caller identities in incoming call notifications.
Fake billing and support impersonation. Attackers create Teams channels or messages impersonating finance teams, Microsoft support, or billing departments. Messages claim account issues, pending charges, or subscription problems, directing users to fake login pages or phone numbers for credential theft. The apparent legitimacy of billing alerts (users expect payment notifications) makes these attacks effective.
Credential harvesting via fake login pages. Phishing messages contain links to fake Microsoft 365 or Teams login pages. When users authenticate, attackers capture credentials and device tokens, enabling account takeover and lateral movement within the organization. Harvested credentials enable impersonation of the victim for further attacks against colleagues.
How does Teams/Slack phishing differ from related attacks?
Aspect | Teams/Slack Phishing | Email Phishing | SMS Phishing (Smishing) |
|---|---|---|---|
Authentication Status | Appears as authenticated internal message | Appears as external email | Appears as unsolicited SMS |
User Trust Level | Very High (internal platform) | Medium-Low (external) | Low (unsolicited) |
Detection by Email Security | N/A (bypasses email filters) | Medium (URL/header analysis) | Low (limited SMS scanning) |
Access to Internal Channels | High (guest access, direct message) | None (external to organization) | None (external channel) |
Multi-Channel Integration | Yes (can escalate to calls) | Yes (can escalate to Teams) | Limited (can escalate to calls) |
Mobile Vulnerability | High (mobile app trusted) | Medium | High (SMS native to mobile) |
Message Spoofing Capability | High (API exploits) | Medium (header spoofing) | Medium (SMS spoofing) |
Volume per Attacker | Lower (targeted) | Higher (bulk spray) | Medium (bulk SMS) |
Ideal for | Bypassing email security with authenticated internal messages and multi-channel attacks | Mass credential harvesting and malware distribution | Mobile-focused attacks with high trust factor |
Teams/Slack phishing differs fundamentally from email phishing in user trust perception. Email appears external to organization and receives scrutiny; Teams/Slack messages appear as authenticated internal communications where users expect workplace messages. Email phishing requires users to open external email and click suspicious links; Teams/Slack messages appear inline with legitimate messages. Email security tools thoroughly analyze external email; Teams/Slack monitoring is less mature and often fragmented from email detection. Teams/Slack phishing bypasses email-based security controls entirely because messages route through different platforms.
Teams/Slack phishing also differs from SMS phishing in persistence and integration. SMS messages are unsolicited and stand out as unusual; Teams/Slack messages blend into normal workplace communication. Teams/Slack phishing enables lateral movement within organizations because captured credentials grant access to internal networks; SMS phishing typically targets consumer credentials. Teams/Slack phishing can exploit platform-specific vulnerabilities (message editing, spoofing) that don't exist in SMS; SMS phishing relies on social engineering alone.
Why does Teams/Slack phishing matter?
Teams/Slack phishing represents a critical threat because collaboration platforms have become central to organizational communication. Microsoft Teams has 320 million monthly active users globally, creating massive attack surface. The platform's widespread enterprise adoption creates both significant attack surface and potential impact.
Recent incidents demonstrate escalating threat. In 2024, Check Point researchers uncovered an active phishing campaign targeting over 300 organizations with over 4,000 phishing emails in just four weeks, all delivered through spoofed Google Calendar invites to deliver Teams phishing lures. Microsoft acknowledged in April 2024 a "significant increase in Teams phishing attacks, which have led to endpoint-related incidents." Since April 2024, Teams attacks have become increasingly common as threat actors refine techniques.
Multi-channel phishing statistics highlight Teams' role. Microsoft Teams is the most popular second step in multi-channel attacks, accounting for 30.8% of follow-up attacks after email phishing. Slack accounts for 19.2% of second-step attacks. Teams and Slack together represent 50% of second-step attack vectors in multi-channel campaigns. In the financial services sector, there was a 32% increase in phishing emails spoofing Slack and Microsoft Teams.
Sophisticated threat actors actively target Teams. Storm-2372 (Russian-linked) has been active since August 2024, targeting government agencies, NGOs, defense contractors, and critical infrastructure across Europe, North America, Africa, and Middle East using fake Teams meeting invitations. Storm-0324 (financially motivated) relied on TeamsPhisher malware in July 2025 to deliver JSSloader malware for ransomware group Sangria Tempest.
What are the key limitations of Teams/Slack phishing?
Attacker constraints. Teams/Slack phishing requires bypassing conditional access policies and multi-factor authentication to maintain persistence. API-level exploits (message editing, caller ID forgery) require technical sophistication and reverse-engineering of Teams protocols. Guest access restrictions: Teams can be configured to disallow or restrict guest messaging. Message retention policies and audit logs may reveal edited messages in compliance systems. User awareness training is becoming more effective at identifying suspicious Teams messages.
Defender advantages. Teams has built-in audit logging and eDiscovery capabilities to track message modifications and sender details. Conditional access policies can restrict authentication from risky locations or devices. Message classification tags and Data Loss Prevention rules can flag suspicious content. Native phishing reporting in Teams allows users to flag suspicious messages directly to security teams. Updated API controls and fixes deployed by Microsoft in October 2025 mitigated some publicized vulnerabilities.
Detection capability gaps. Multi-channel phishing (email + Teams) is harder to detect because Teams messages and emails are monitored by different tools. Not all organizations have enabled Teams-specific threat detection or Data Loss Prevention rules. Behavioral analysis of Teams activity is less mature than email threat detection. Employees are more likely to click links in Teams/Slack due to trust in the platform, but this creates detection challenges because legitimate Teams activity creates high click-through baseline.
How can organizations and users defend against Teams/Slack phishing?
Technical controls. Configure strict conditional access policies for Teams authentication, including device compliance checks, location-based restrictions, and real-time risk assessment. Enforce multi-factor authentication for all Teams users to prevent credential-based account takeover. Deploy data loss prevention rules to detect and block messages containing sensitive keywords or suspicious patterns. Restrict Teams guest access and disable "Chat with Anyone" feature if not business-critical. Enable advanced audit logging and real-time monitoring for suspicious Teams activity. Ensure users and systems are patched with the latest Teams security updates to mitigate known API vulnerabilities.
Organizational practices. Conduct regular training on Teams-specific phishing threats, including fake invitations, impersonation risks, and device code phishing. Run simulations that test user behavior across email and Teams together, not separately. Establish clear procedures for reporting suspicious Teams messages, with rapid containment protocols. Train employees to verify requests through secondary channels (in-person, phone calls using known numbers) before sharing credentials. Establish clear policies stating IT support will never request passwords, multi-factor authentication codes, or sensitive data via Teams. Train staff to recognize spoofed or suspicious sender names, especially those impersonating executives or IT support.
Monitoring and detection. Deploy user behavior analytics to detect anomalous Teams login patterns, unusual message volume, or atypical sharing activity. Use email-to-Teams threat correlation to detect users who received email phishing and then received Teams phishing messages. Monitor for message editing events to catch retroactive modification of messages after delivery. Track failed authentication attempts on Teams followed by successful logins from new devices.
User-level defenses. Do not click links in unsolicited Teams messages. Verify requests through secondary channels using official contact information. Never provide credentials, passwords, or multi-factor authentication codes via Teams. Use the report as phishing option in Teams to flag suspicious messages. Verify sender identity by checking organizational directory and team membership history. Be suspicious of unexpected file attachments or meeting invitations.
FAQs
What is device code phishing and how does it work on Teams?
Device code phishing tricks users into authorizing a malicious application using legitimate OAuth 2.0 authentication. Attackers send a Teams message with a link to a fake website displaying a device code. The user enters this code at the official Microsoft login portal, thinking they are signing into Teams or a legitimate service. By completing this step, they grant the attacker's application permission to access their Microsoft 365 account, enabling credential theft and lateral movement. This attack exploits the assumption that Microsoft login portals are always legitimate, when in fact the user has been directed to a legitimate portal by an attacker to authorize malicious application access.
How can I verify if a Teams message or invitation is legitimate?
Check for these red flags: Requests for passwords, multi-factor authentication codes, or sensitive data (legitimate IT will never ask via Teams). Urgent tone with threats such as "Account suspended" or "Immediate action required." Sender name does not match the display picture or known colleague. Links to external login pages (hover to verify URL matches expected domain). Unusual grammar or formatting. Unexpected file attachments or meeting invitations. Verify requests through secondary channels (call, in-person) using contact info from official company sources, not the message itself.
What are the risks of the "Chat with Anyone" feature in Teams?
The "Chat with Anyone" feature allows external users to send direct messages to Teams users via email address without requiring prior channel membership or organization affiliation. Attackers abuse this to impersonate external partners, vendors, or billing services, making their messages appear to come from legitimate sources. The feature bypasses standard Teams invite controls and audit trails. Organizations should disable this feature if not business-critical or monitor it closely for suspicious activity. Users should treat unexpected messages from external users with heightened skepticism.
How is Teams phishing different from email phishing?
Teams phishing leverages the inherent trust employees place in internal communication platforms, where messages appear authenticated and sender verification is weaker. Email phishing relies on external origin and is heavily filtered. Teams messages bypass email security tools entirely and are harder to detect because Teams monitoring is less mature. Additionally, Teams phishing can exploit API vulnerabilities (message editing, spoofing) that do not exist in email. Multi-channel attacks combine both to increase effectiveness. Teams phishing integrates more seamlessly into normal workplace communication, making detection harder for both automated systems and humans.
What should I do if I suspect a Teams phishing message?
Do not click links or download attachments. Do not reply or engage with the sender. Use the report as phishing option in Teams (right-click message > Report). Notify your organization's security/IT team immediately with a screenshot and sender details. If you already entered credentials, immediately reset your password and notify IT to check for unauthorized access. Check if your account was used to send phishing to others. Monitor your account for suspicious activity. Incident response teams can use audit logs to determine scope of compromise and implement remediation.
