For years, companies drilled one thing into employees’ heads: don’t trust weird emails. Problem is, attackers adapted. Instead of fighting against people’s skepticism around email, they moved to platforms employees already trust without thinking twice about it. One of the biggest targets right now is Microsoft Teams
A threat group called KongTuke has been using Teams chats to get inside corporate networks, and honestly, it’s working disturbingly well. Instead of blasting out phishing emails, they pose as internal IT staff and message employees directly through Teams. Sometimes they’re operating from already-compromised Microsoft 365 accounts. Other times they create fake accounts designed to look close enough to pass a quick glance. Either way, the attack can go from first contact to compromised system in just a few minutes.
The whole thing works because Teams automatically feels legitimate inside most companies. Employees are used to random chats from help desk staff, admins, vendors, or outside contractors. Attackers know that. Once they get someone talking, they convince the victim to paste a PowerShell command into their computer under the excuse of “running diagnostics” or “fixing an issue.”
That command downloads malware called ModeloRAT. From there, things go downhill fast. The malware quietly installs a portable Python environment, starts collecting screenshots, credentials, system info, and files, then gives the attackers a foothold inside the network. At that point they can move laterally, steal data, or sell access to ransomware groups. That’s basically the business model for initial access brokers like KongTuke. They break in first and let somebody else monetize the damage later.
What makes these attacks particularly nasty is that a lot of the activity looks completely normal at first glance. They lean heavily on legitimate Microsoft services, built-in Windows tools, and standard administrative utilities. Security teams looking for obvious malware downloads or fake login pages may not immediately spot anything unusual. Even Microsoft has warned that Teams is increasingly being abused for fake help desk scams designed to trick employees into granting access or running commands.
This is part of a much bigger shift happening in cybersecurity right now. Traditional phishing emails still exist, but collaboration platforms like Teams, Slack, Zoom, and Discord are becoming more attractive because they bypass the mental defenses people developed around email years ago. A Teams message from “IT Support” feels internal. It feels urgent. And most employees respond before they stop to question whether it’s real.
The attackers are also getting smarter about blending in. Researchers observed KongTuke operators using Unicode whitespace tricks to make fake account names visually resemble legitimate internal users. To somebody glancing quickly at a Teams notification during a busy workday, the difference is almost impossible to notice.
None of this came out of nowhere either. Microsoft Teams phishing tied to ransomware crews started showing up a couple years ago, but the attacks have become far more polished and convincing since then. Recent campaigns documented by researchers show attackers combining Teams impersonation with email bombing, remote support tools, malicious browser extensions, and signed malware to dig deeper into company networks once they get a foothold.
The uncomfortable part is that a lot of organizations still allow unrestricted external Teams communication by default. In other words, unless policies are tightened, pretty much anyone outside the company can potentially start chatting with employees. That effectively turns Teams into another internet-facing attack surface, except employees trust it far more than email.
The fixes themselves are not complicated. Restrict external Teams access whenever possible. Train employees to never paste PowerShell commands into a terminal because somebody claiming to be IT asked them to. Put verification procedures in place for help desk interactions. Monitor for unusual PowerShell activity, portable Python installs, unexpected remote access tools, and suspicious outbound traffic.
Most importantly, companies need to stop treating Teams like it’s “just chat.” The attackers already figured out it’s much more than that.
