Phishing Attackshigh

Microsoft Teams External Tenant Phishing: Office Tools Turned Against Employees

APT29 (Cozy Bear) used compromised Microsoft 365 tenants to send Teams messages impersonating IT support to government and critical infrastructure employees, bypassing email phishing defences entirely.

Government / Critical Infrastructure (APT29)·2023·2 min read

Attack Chain

  1. 1
    External Teams message sent
  2. 2
    Attacker poses as vendor
  3. 3
    Link delivered via Teams
  4. 4
    Credentials phished
  5. 5
    Internal systems accessed

Background

Microsoft Teams allows external users from other tenants to send messages and meeting invitations. Most organisations had not reviewed or restricted this setting. APT29, Russia's SVR foreign intelligence service, identified this as an unmonitored channel for phishing.

The Attack

APT29 compromised small Microsoft 365 tenants (likely via password spray) and configured them with names and profile pictures impersonating IT support teams. They then sent Teams messages to employees at targeted government, defence, and critical infrastructure organisations asking them to approve an MFA request. The messages included social engineering about an urgent IT issue. When employees clicked through, they were prompted to complete an authentication request that gave the attackers valid OAuth tokens — bypassing passwords entirely.

Response

Microsoft detected the campaign in May 2023 and notified affected organisations. The company published detailed guidance on restricting external access in Teams and released a hardening guide. CISA published advisory AA23-187A. Microsoft suspended the compromised tenants.

Outcome

Approximately 40 organisations were targeted globally. The attack demonstrated that collaboration tools create new phishing surfaces that IT teams have not historically monitored. Security teams that had invested heavily in email gateway security had no equivalent controls on Teams messages.

Key Takeaways

  1. Restrict Microsoft Teams external messaging to known trusted domains — do not leave it open by default
  2. OAuth token theft is more valuable than password theft — it bypasses MFA entirely
  3. Collaboration tools (Slack, Teams, Discord) are increasingly used as phishing delivery channels
  4. Monitor authentication logs for OAuth app grants, not just password logins
Teams phishingAPT29OAuthMFA bypasscollaboration tools

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks