Microsoft Teams Abused by Ransomware Gangs to Hide Attacks

Ransomware gangs have found a clever new way to sneak into business networks — by disguising their malicious traffic as normal Microsoft Teams activity. If your business uses Teams for day-to-day communication (and most do), this is something you need to understand, even if you're not a security expert. The short version: attackers are abusing the same infrastructure that powers your video calls and chat messages to move undetected through your systems.

How Attackers Are Hiding Inside Microsoft Teams

Microsoft Teams relies on a network of relay servers to route calls, messages, and file transfers between users. These relays are trusted by default — your firewall and security tools are generally set up to allow Teams traffic through without much scrutiny, because blocking it would disrupt your entire workforce.

Ransomware operators have figured out how to tunnel their command-and-control communications through these same relay pathways. In plain terms, they're wearing a disguise. Their malicious instructions to infected machines look, from the outside, like ordinary Teams traffic. Traditional security tools that inspect traffic by source or destination often wave it straight through.

This isn't a vulnerability in Teams itself. Microsoft's platform isn't broken. Instead, attackers are exploiting the trust that businesses — and their security tools — place in well-known enterprise software. It's the digital equivalent of a burglar wearing a delivery uniform.

Why Small and Medium Businesses Are Especially at Risk

Large enterprises typically have dedicated security operations teams who monitor network behaviour around the clock and have tools capable of deep packet inspection — essentially reading the content of traffic, not just where it's coming from. Most SMBs don't have that luxury.

If you're running a business with a lean IT setup, you're probably relying on your firewall, your antivirus, and the assumption that traffic from a Microsoft server is safe. That assumption is exactly what these attackers are counting on.

There's another layer to this problem. Ransomware attacks rarely start with ransomware. Before the encryption begins, attackers spend time inside your network gathering credentials, mapping your systems, and identifying your most valuable data. During this reconnaissance phase, they need to communicate with their own servers — and that's when techniques like Teams relay abuse are most useful. By the time the ransomware deploys, the damage to your credentials and sensitive data may already be done.

What This Means for Your Defences Right Now

First, review who has external access through Teams. Many businesses enable Teams federation — the ability for people outside your organisation to message or call your staff directly. If you don't actively need this, consider restricting it. Reducing your external attack surface is always worthwhile.

Second, treat credential security as your first line of defence. Attackers abusing communication tools like Teams almost always have a foothold that started somewhere else — a phished password, a stolen session token, or credentials pulled from an infostealer log circulating on the dark web. If compromised login details for your business are already out there, a determined attacker doesn't need to brute-force their way in. They walk in through the front door.

Third, make sure your staff know that Teams messages from external contacts should be treated with the same caution as emails from strangers. Social engineering through Teams — fake IT support requests, urgent messages impersonating vendors — is increasingly common and often the first step in an intrusion.

The Credentials Problem You Might Not Know You Have

The Microsoft Teams ransomware technique is sophisticated, but it almost always relies on a starting point that's far more mundane: a stolen username and password. Infostealer malware — software that silently harvests login credentials from infected devices — is one of the most common tools in a ransomware operator's toolkit. Those credentials get sold or shared on dark web markets and forums, sometimes for months before anyone uses them.

For SMBs, the uncomfortable truth is that your staff's credentials, your domain infrastructure, or even internal tools may already be exposed somewhere online without your knowledge. That's precisely the kind of exposure Breachrr monitors — checking breach databases, infostealer dumps, dark web markets, public code repositories, and domain infrastructure so you know before attackers act.

If you're not sure what's already out there about your business, now is a good time to find out. Run a free audit at breachrr.com/audit and get a clear picture of your current exposure in minutes.

Want to see if your company is exposed?

Want to see if your company is exposed?

Run a free audit →
Microsoft Teams Abused by Ransomware Gangs to Hide Attacks · Breachrr · Breachrr