Microsoft Warns of ‘Guided Execution’ Playbook as Attackers Impersonate IT Helpdesks via Teams

Attackers are using Microsoft Teams to impersonate helpdesk staff and gain remote access to enterprise networks. Learn how to defend against this new playbook.

By: AXL Media

Published: Apr 23, 2026, 3:44 AM EDT

Source: Information for this report was sourced from CSO Online

The Evolution from Phishing to Participation

Cybersecurity researchers at Microsoft have documented a sophisticated shift in social engineering tactics, moving away from traditional email-based phishing toward real-time engagement on collaboration platforms. In this new "playbook," attackers initiate contact through Microsoft Teams’ external access feature, masquerading as internal IT support to build immediate rapport with employees. Analysts note that while the underlying objective of gaining initial access remains unchanged, the transition to Teams allows attackers to exploit the high level of trust users place in their primary workplace communication tools. Unlike static email deceptions, this method allows for a "guided execution" where the attacker leads the victim through a series of manual steps to surrender system control.

Abusing Cross-Tenant Communication Channels

The primary vulnerability exploited in these intrusions is the cross-tenant communication capability, which allows users from one organization to message individuals in another. While designed to facilitate business-to-business collaboration, this feature creates a "false sense of safety" for employees who associate the Teams environment exclusively with internal coordination. Security advisors point out that many enterprises enabled these convenience-focused features before implementing Zero Trust controls, effectively leaving a digital "lobby" open to any external actor. This trust boundary is often poorly understood by staff, who may not realize that a chat request appearing in their Teams client is originating from an unverified external source.

Bypassing Detections with Legitimate Administrative Tools

A critical challenge for defenders is that once an attacker is granted access, they typically eschew traditional malware in favor of native administrative utilities. By using legitimate remote-control software and data transfer tools, the intruders’ activity blends seamlessly into the noise of routine IT operations. Because the access is technically "user-approved," it does not trigger the typical alerts associated with exploit-driven attacks or unauthorized software installations. Experts warn that there is very little in these sessions that looks overtly malicious in isolation, as the attackers are effectively using the organization’s own infrastructure against itself to move la...