Hackers Abuse Microsoft Teams Chats After Flooding Victims With Spam Emails

eSentire uncovered a rising two-step attack used since 2024–2026 where threat actors flood targets with spam to disrupt inboxes, then contact employees via Microsoft Teams posing as IT support to obtain remote access; once inside they exfiltrate data using legitimate tools (e.g., WinSCP) or hidden Java payloads, leveraging bulletproof hosting and disposable or .onmicrosoft domains. The report details attacker patterns, example artifacts and suggests controls such as restricting external Teams messages, monitoring unexpected WinSCP usage, and using MDR services to block malicious IPs and detect ransomware deployment.