Social Engineering campaigns have rapidly shifted to abusing trusted business communication platforms, with threat actors increasingly abusing Microsoft Teams and Salesforce Web Chat to bypass security defenses. Threat actors conducting these attackers have been observed impersonating trusted vendors, c-suite and internal helpdesks through these collaboration tools to exploit the users' trust and gain access to the target organisation.
Threat actors have increasingly been observed leveraging Microsoft Teams as an initial access point due to its wide adoption and user perception as a trusted tool. This misconception is catching users off guard as they often don't attribute the same sorts of risks that they are made aware of regarding email-based threats to their own companies' trusted communication platform. Threat actors often utilise compromised Microsoft tenants or newly created “onmicrosoft[.]com” domains which they initiate conversations from to build trust with the victim, then leveraging that trust to trick the user into providing remote access, requests to approve MFA prompts or share sensitive internal information.
Historically social engineering attacks have been a simpler task to detect and respond to as it often involved a delay in the attack chain with an email being sent to the attacker conducting their attack providing defenders time to detect and remediate the threat. However, now the threat landscape has drastically changed as the time between an external Teams chat request followed by an active remote session and malware has been reduced to minutes.
Since the end of 2025, Bastion has observed a sharp increase in successful social engineering initiated via external Microsoft Teams chats. A recent incident Bastion responded to involved an external threat actor posing as the company's internal IT support team where they social engineered and persuaded the user into initiating a remote session using Microsoft Quick Assist under the guise of troubleshooting a technical issue on their device. During the remote session, the threat actor utilised a Google Chrome browser extension called “IE Tab” to bypass safe browsing where it covertly deployed a malicious payload into the users “AppData\Local\Temp\” folder followed by the executable establishing persistence by creating a registry RUN key masquerading as “Realtek HD Audio Universal Service” setting up a persistent backdoor with command-and-control (C2) beaconing. Bastion identified and remediated the threat promptly preventing further compromise or additional payloads.
Mitigations for Social Engineering
- Detection logic and alert correlation on External Teams followed by remote session
- Communication Platform Hardening
- Lockdown Remote Access Tools
- Implement Application Control to restrict software
- Security Awareness Training for all staff