A new wave of social engineering attacks is targeting Australian organisations through a channel most IT teams still treat as safe: Microsoft Teams.<\/p>\n\n\n\n
Threat actors are impersonating internal IT helpdesk staff, reaching users via external Teams chats and federated messaging, and walking them straight into credential theft or malware deployment. It is the same playbook Midnight Blizzard and Storm-linked groups have been refining for months, and it is now landing in mid-market Australian inboxes.<\/p>\n\n\n\n
The uncomfortable truth is that most Microsoft 365 tenants are still configured with permissive external Teams settings by default. That gap is where the attacks live.<\/p>\n\n\n\n
The pattern is consistent across recent incidents observed by our consultants and reported by Microsoft’s own threat intelligence team.<\/p>\n\n\n\n
An attacker compromises a legitimate Microsoft 365 tenant, often a small business or dormant account, and uses it to message targets on other tenants. The display name is changed to something like “Help Desk”, “IT Support”, or “Microsoft Security”. The message arrives through Teams federation, so it carries the Microsoft Teams branding the user trusts.<\/p>\n\n\n\n
From there, the playbook splits in two directions. Some attackers send a malicious file or OneDrive link. Others walk the user through a fake MFA reset, harvesting credentials and push-approval fatigue along the way. In several cases, the same actors then pivot to Quick Assist or other remote support tools to execute payloads directly on the endpoint.<\/p>\n\n\n\n
The attack works because it bypasses the filters organisations rely on. Email gateways never see the message. Staff have been trained to be suspicious of email, but not of Teams.<\/p>\n\n\n\n
Three factors make this threat especially relevant to Australian CIOs and IT Directors right now.<\/p>\n\n\n\n
First, Australian mid-market organisations have heavily adopted Microsoft 365 and Teams over the past three years, often without revisiting the default external collaboration settings configured during rollout.<\/p>\n\n\n\n
Second, the ACSC and ASD have continued to flag social engineering and credential theft as primary initial access vectors in their quarterly threat assessments. Teams-based attacks fit squarely inside that pattern.<\/p>\n\n\n\n
Third, Essential 8 maturity expectations are rising. User education, MFA hardening, and restrict-administrative-privileges controls all intersect with this specific attack chain. Boards and auditors are asking harder questions about how these controls are actually enforced, not just documented.<\/p>\n\n\n\n
The good news is that the mitigations are mostly configuration changes inside tenants the organisation already owns. No new product required. The team at CloudProInc recommends the following priorities for any Australian organisation running Microsoft 365.<\/p>\n\n\n\n
In the Teams admin centre, review External Access settings. The safest default for most mid-market organisations is to block communication with all external domains and allow only a named list of trusted partners.<\/p>\n\n\n\n
If a full block is not operationally viable, disable unmanaged Teams accounts at a minimum. That single change removes the attacker’s cheapest path in, which is standing up a free consumer or trial tenant and messaging from there.<\/p>\n\n\n\n
Phishing-resistant MFA is no longer optional. Move the organisation off SMS and voice-call MFA, and prioritise FIDO2 security keys, Windows Hello for Business, or number-matching in the Microsoft Authenticator app.<\/p>\n\n\n\n
Conditional Access policies should enforce compliant-device requirements for access to Teams, SharePoint, and Exchange. Sign-in risk and user risk policies inside Microsoft Entra ID Protection should be set to block or require strong re-authentication, not just prompt the user.<\/p>\n\n\n\n
Safe Links and Safe Attachments for Microsoft Teams are built into Defender for Office 365 Plan 2, and they catch a meaningful percentage of the payloads seen in this attack pattern. Many organisations are licensed for the capability but have never flipped the switch.<\/p>\n\n\n\n
Review whether the tenant has Teams protection enabled, and whether alerts from Teams activity are flowing into the security operations queue rather than sitting unread in a mailbox.<\/p>\n\n\n\n
Most security awareness programs still lead with email phishing. That content needs an urgent refresh.<\/p>\n\n\n\n
Users need to know that a message from “IT Helpdesk” on Teams can be external, and that a legitimate internal helpdesk will never ask them to approve an MFA prompt they did not initiate or to install remote support software on an unsolicited call. Short, role-specific reminders delivered through Viva Learning or a scheduled Teams announcement perform better than annual training modules.<\/p>\n\n\n\n
Quick Assist, AnyDesk, TeamViewer, and similar tools are frequently weaponised in the final stage of this attack. If the organisation does not formally use these for IT support, block them through AppLocker, Intune, or Defender for Endpoint attack surface reduction rules.<\/p>\n\n\n\n
If they are used, restrict execution to known support accounts and log every session.<\/p>\n\n\n\n
Each of the mitigations above aligns directly to an Essential 8 control.<\/p>\n\n\n\n
User application hardening and restrict Microsoft Office macros map to blocking the payload delivery stage. Multi-factor authentication and restrict administrative privileges map to blunting the credential theft and lateral movement stages. User education supports every layer.<\/p>\n\n\n\n
For organisations targeting Essential 8 Maturity Level Two, this attack pattern is a useful stress test. If the controls cannot be evidenced as actually preventing a Teams-delivered helpdesk impersonation attempt, the maturity rating is likely aspirational rather than real.<\/p>\n\n\n\n
The teams that weather this wave best are the ones treating it as a configuration and governance issue, not a tooling purchase. Most of the controls are already licensed. The work is reviewing the settings, aligning them to Essential 8, and briefing the business on why the changes matter.<\/p>\n\n\n\n
CloudProInc works with Australian mid-market organisations to run focused Microsoft 365 security reviews that map existing configuration to Essential 8 and the ACSC’s current threat guidance, with practical remediation plans the internal IT team can execute. If your tenant has not been reviewed against this specific attack pattern, this is the week to do it.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"
A new wave of social engineering attacks is targeting Australian organisations through a channel most IT teams still treat as safe: Microsoft Teams. Threat actors are impersonating internal IT helpdesk staff, reaching users via external Teams chats and federated messaging, and walking them straight into credential theft or malware deployment. It is the same playbook […]<\/p>\n","protected":false},"author":1,"featured_media":57491,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Teams helpdesk impersonation","_yoast_wpseo_title":"Teams Helpdesk Impersonation Attacks: What Australian IT Must Change","_yoast_wpseo_metadesc":"Teams helpdesk impersonation attacks are hitting Australian organisations. Here are the configuration changes IT teams should make this week to close the gap.","_yoast_wpseo_opengraph-title":"Teams Helpdesk Impersonation Attacks Hitting Australian Organisations","_yoast_wpseo_opengraph-description":"Teams helpdesk impersonation attacks are rising fast. Here is what Australian IT teams should change this week to reduce exposure and align to Essential 8.","_yoast_wpseo_twitter-title":"Teams Helpdesk Impersonation Attacks Hitting Australian Organisations","_yoast_wpseo_twitter-description":"Teams helpdesk impersonation attacks are rising fast. Here is what Australian IT teams should change this week to reduce exposure and align to Essential 8.","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13,107,22,103,17,35],"tags":[],"class_list":["post-57487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-cybersecurity","category-email-security","category-essential-8","category-microsoft-365-security","category-microsoft-teams"],"yoast_head":"\n