Wishing: Webhook Phishing in Teams

This technical blog explains how default Microsoft Teams features—incoming webhooks (connectors) and per-channel email addresses—can be enumerated and abused to send phishing messages and achieve persistence. It provides step-by-step methods for obtaining and manipulating tokens/cookies, enumerating channels and webhooks, creating webhooks programmatically, and configuring channel emails to accept messages from anyone, with examples using GraphRunner and Burp. The article also outlines detection and mitigation limitations and defensive recommendations.