Teams & Slack Phishing: The Threat Beyond the Inbox

Elena Vasquez··7 min read
Office worker on a laptop video call reviewing a chat message in a collaboration app

For two decades, security awareness training has trained one reflex: be suspicious of email. That message is finally sinking in — and attackers have responded by moving somewhere employees rarely think to question. A message that pops up inside Microsoft Teams or Slack, or a meeting that lands in your calendar, carries an implicit assumption of trust that a cold email never does. Threat actors know this, and they are exploiting it.

Collaboration-platform phishing is no longer a theoretical risk. Microsoft's security team has documented human-operated intrusions that begin with a Teams message impersonating IT support, and threat groups tracked as Storm-1811 and Midnight Blizzard have used Teams to socially engineer employees into handing over access. The inbox is no longer the only front line.

Why Attackers Are Targeting Teams and Slack

The shift is a rational one. Email security has matured: secure gateways, DMARC enforcement, link rewriting, and years of awareness training have raised the cost of a successful inbox attack. Collaboration platforms, by contrast, are often wide open.

Three factors make them attractive:

  • Implicit trust. A Teams chat or Slack DM feels internal, even when the sender is external. Employees apply far less scrutiny than they would to an email from an unknown address.
  • Fewer controls. Many organizations route every email through a security stack but leave Teams external messaging and Slack Connect open by default, with little inspection of links or files.
  • Real-time pressure. Chat is conversational and immediate. An attacker posing as the help desk can apply pressure in real time — something a static email cannot do.

According to reporting from The Hacker News on a campaign tracked as UNC6692, attackers used Teams messages impersonating the IT help desk to lure employees toward malware and remote-access tooling. Microsoft's own incident-response team has published a playbook describing cross-tenant help-desk impersonation that moves from a first chat message to hands-on-keyboard activity remarkably quickly.

The Three Most Common Collaboration-App Lures

The tactics map closely to classic email phishing — they have simply changed venue.

1. The Fake IT Help Desk Message

An external account, often using a freshly registered Microsoft 365 tenant, sends a Teams message styled as IT support: a security alert, a mailbox-storage warning, or a request to verify your account. The goal is to get you to click a link, approve a prompt, or install a remote-support tool such as Quick Assist that hands the attacker control of your screen.

2. The Malicious Link or File in a Direct Message

Both Teams and Slack allow external parties to share links and attachments. A message that appears to come from a partner, contractor, or colleague carries a link to a credential-harvesting page or a file that drops malware. Because it arrived through a trusted app, the usual “don't click links from strangers” instinct often fails to fire.

3. The Booby-Trapped Calendar Invite

A meeting invite is, at heart, just a message with a body that can hold formatted text and links. Attackers embed phishing links inside the invite body or the “join” details, betting that a calendar entry feels far more legitimate than an unsolicited email.

The medium has changed, but the psychology has not. Every collaboration-app lure still relies on urgency, authority, or familiarity — the same triggers your email awareness training already teaches employees to recognize.

The Email-Bombing Combo: A Two-Stage Trap

One of the more effective patterns pairs the inbox and the chat tool in sequence. First, the attacker floods the target's mailbox with hundreds of newsletter sign-ups and notifications — an “email bomb” that buries any legitimate mail and creates instant stress. Then, moments later, a Teams message arrives from someone posing as IT support, offering to help with the “spam problem.”

The choreography is deliberate. The flood manufactures a real, visible problem; the chat message offers a plausible rescue from someone who appears to be on your side. A rattled employee, eager to make the noise stop, is far more likely to accept a screen-share or run a “fix” than they would be on a calm day. Reporting on these campaigns shows attackers can move from that first friendly chat message to running malicious commands on the victim's machine in a matter of minutes — there is rarely time to second-guess once access is granted.

The lesson for employees is counterintuitive but vital: an inbox flood is not just an annoyance, it can be the opening move of an attack. Unsolicited “help” that arrives right on its heels deserves more suspicion, not less.

The Senior-Executive Angle

These campaigns are not spread evenly across the org chart. Reporting on Teams-based phishing indicates a pronounced and rising focus on executives, managers, and directors — the people with the broadest access and the authority to approve payments, share files, or grant permissions. A help-desk impersonation that lands a director's credentials is worth far more to an attacker than one that catches a junior account.

That skew has a practical implication: high-value roles need targeted preparation, not just the standard all-staff module. Leaders are busy, are accustomed to people doing things for them, and are often the least patient with security friction — exactly the profile attackers prefer. Executive-focused simulations and briefings help close that gap before a real lure tests it.

Locking Down External Collaboration

Technical controls close the easiest doors before an employee ever has to make a judgment call. Microsoft provides guidance on preventing spam and phishing from external Teams chats, and the same principles apply to Slack.

  • Restrict external messaging. Limit who can start a Teams chat with your users from outside the organization. Where the business does not require open external chat, disable it or allow-list trusted domains only.
  • Govern Slack Connect. Require admin approval for external shared channels and DM invitations rather than letting any user accept them.
  • Scan links and files. Extend your link-protection and malware-scanning policies to cover Teams and Slack, not just email.
  • Constrain remote-support tools. Treat unsolicited requests to install or run remote-access software as a serious red flag, and limit which tools can run in your environment.

Extending Awareness Training Past the Inbox

Controls reduce exposure, but determined attackers will still reach some users. The deciding factor is whether employees recognize the lure and report it — wherever it appears.

Most awareness programs were built around email scenarios, which leaves a blind spot the moment an attack arrives in chat. Closing it does not require a new program; it requires updating the one you have:

  • Teach staff that external Teams and Slack messages deserve the same scrutiny as email, and that Microsoft and Slack visibly flag external senders — a label worth checking every time.
  • Reinforce that legitimate IT will never cold-message you in chat to demand a password, an MFA approval, or remote access.
  • Run phishing simulations that mirror real channels. With empowsec, you can train employees on the urgency-and-authority patterns that drive help-desk impersonation, then measure who clicks and deliver targeted follow-up training to those who need it.
  • Make reporting frictionless and blameless. A suspicious Teams message reported in thirty seconds can be the difference between a near miss and an incident.

Key Takeaways

Phishing has followed your employees into the tools they trust most. Defending against it means treating collaboration platforms as first-class attack surfaces:

  • Assume attackers are in your chat tools, not just your inbox — Teams, Slack, and calendar invites are all in scope.
  • Lock down external messaging and Slack Connect, and extend link and file scanning to every channel.
  • Treat unsolicited help-desk contact and remote-access requests as red flags, regardless of platform.
  • Update awareness training so the email-suspicion reflex transfers to chat and calendar lures.
  • Make reporting effortless so a flagged message stops an intrusion early, no matter where it lands.
Share: