Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks

A growing 2024–2026 campaign leverages email-bombing to panic victims, then uses Microsoft Teams accounts impersonating internal IT to request remote-access assistance; once access is granted attackers use legitimate remote-support tools (Quick Assist, AnyDesk) and file-transfer utilities (WinSCP) or malicious Java payloads to exfiltrate data. The activity is linked to known groups (Scattered Spider, Payouts King, UNC6692) and backed by organized infrastructure hosted at bulletproof providers, and the report recommends restricting external Teams collaboration and blocking unnecessary remote-access/file-transfer tools.