Email bombing and fake IT support calls fuel Microsoft Teams phishing attacks

Threat actors are using email bombing and fake Microsoft Teams support calls to trick employees into giving attackers remote access to their devices.

The attack usually starts with hundreds or thousands of unwanted emails hitting one inbox in a short time. While the victim tries to understand what is happening, a fake IT support worker contacts them through Microsoft Teams and offers help.

The goal is simple. Attackers want the employee to trust the Teams message, start a remote support session, and approve access through tools such as Quick Assist or similar remote assistance software.

Why this attack works

Email bombing creates stress. It makes the victim feel that their account, mailbox, or device has a serious problem that needs immediate help.

The fake support message arrives at the right moment. It appears to come from an IT or helpdesk contact, often with a professional display name, a realistic user name, and an external Microsoft tenant built to look official.

Microsoft Teams makes the lure more convincing because employees already use it for daily work. Many users respond faster to Teams messages than email, especially when the message looks like internal support.

At a glance

Attack stage	What happens	Why it matters
Email bombing	The victim receives a flood of unwanted emails	It creates panic and makes the fake support contact feel timely
Teams contact	An external account impersonates IT support	The attacker uses a trusted work platform instead of only email
Remote access request	The victim launches Quick Assist or a similar tool	The attacker gains interactive access to the endpoint
Post-access activity	The attacker runs trusted tools and admin protocols	The activity may look like normal IT work
Data theft or lateral movement	The attacker moves through the network or stages files	One support call can turn into a wider compromise

Microsoft says attackers abuse external collaboration

Microsoft has warned that threat actors are abusing cross-tenant Teams communication to impersonate IT and helpdesk staff. The company says the attacker often convinces the user to grant remote assistance access.

After that access starts, attackers may run trusted signed applications with attacker-supplied components, use Windows Remote Management, move laterally, install remote management tools, and stage business data for exfiltration.

Microsoft also says the issue is not a flaw in Teams itself. The risk begins when a user accepts the external contact and approves follow-up actions, such as starting a remote support session.

eSentire reports a sharp rise in these campaigns

eSentire says it has observed an increase in Microsoft Teams phishing attacks since early 2026. The campaigns often combine email bombing with fake IT support messages sent through Teams.

The company’s 2026 Annual Cyber Threat Report found a large increase in email bombing and IT impersonation attacks between 2024 and 2025. It also reported a 72% success rate in the attacks it identified.

Researchers also noted a shift in how attackers present themselves. Instead of using obvious addresses such as helpdesk or admin, they use realistic names paired with IT-themed tenant names to look more credible.

Common signs of the attack

• A sudden flood of emails from newsletters, forms, mailing lists, or random services.
• A Microsoft Teams message from an external user claiming to be IT support.
• A display name that includes helpdesk, security, Windows, IT protection, or support wording.
• A request to launch Quick Assist, AnyDesk, ConnectWise, ScreenConnect, or another remote access tool.
• A support message that pressures the employee to act quickly.
• A request to approve device control, run a command, install a tool, or download a file.
• A sender using a newly created or unfamiliar .onmicrosoft.com tenant.
• A Teams contact that shows an external warning but claims to be internal staff.

How attackers hide after remote access

These campaigns do not always rely on obvious malware at the start. Attackers often use legitimate software because normal tools create less suspicion.

Microsoft says attackers have used trusted applications, native administrative protocols, remote management software, and data transfer utilities during observed intrusions. That makes the activity harder to separate from normal IT support work.

Rapid7 also warned that attackers are trying to persuade users to launch Quick Assist through Teams. Once the connection starts, the attacker can deploy malware, steal data, or move laterally across the network.

Why external Teams access matters

Many Microsoft 365 tenants allow external Teams communication so employees can work with partners, vendors, and customers. Attackers now exploit that same convenience.

Hunters Security says external communication capabilities are a primary initial access risk in Teams phishing. It also notes that many attacks use .onmicrosoft.com domains created through Entra ID tenants.

That does not mean every company should block all external Teams communication. It means organizations should allow only what the business actually needs and make external messages clearly visible to users.

Recommended security controls

• Limit Microsoft Teams external access to approved domains only.
• Disable external users from starting conversations if the business does not require it.
• Block or tightly control Quick Assist, AnyDesk, ScreenConnect, ConnectWise, and similar tools.
• Alert on sudden spikes in email volume followed by Teams messages from external users.
• Monitor for new remote access tools, file transfer utilities, and unusual admin activity.
• Train employees to reject unexpected IT support requests from external Teams accounts.
• Require users to verify support requests through an official helpdesk number or ticketing system.
• Review Teams audit logs for suspicious external chat requests and accepted contacts.

How employees should respond

Employees should not accept unexpected Teams support chats during an email flood. A real IT team should already have a trusted process for contacting users.

If someone claims to be support, the employee should stop the conversation and verify through a separate channel. That can mean calling the official helpdesk number, opening a ticket, or messaging a known internal IT contact.

Employees should never launch remote access tools because an external Teams user asks them to. They should also avoid running commands, downloading files, approving screen control, or sharing codes during an unsolicited support interaction.

Why this is bigger than normal phishing

Traditional phishing often tries to steal passwords through a link. This attack goes further because it can give the attacker hands-on access to the employee’s machine.

Once inside, the attacker may reach browser data, cloud sessions, company files, internal apps, and saved credentials. They may also use the device as a starting point for deeper network access.

This is why organizations should treat email bombing followed by a Teams support message as a high-risk event, not just a user awareness issue.

FAQ