Full Report
Attackers are increasingly targeting collaboration platforms like Microsoft Teams. Learn the risks and key steps to strengthen your organization's security. The post When “Hi, This Is IT” Comes Through Microsoft Teams appeared first on Unit 42.
Analysis Summary
# Best Practices: Securing Collaboration Platforms Against Teams-Based Phishing
## Overview
These practices address the rising trend of "social engineering 2.0," where attackers bypass traditional email security by using Microsoft Teams to impersonate IT staff. They focus on preventing unauthorized external access, mitigating credential theft, and hardening the collaboration environment against sophisticated phishing attempts.
## Key Recommendations
### Immediate Actions
1. **Restrict External Access:** Modify Teams settings to "Only allow specific external domains" or disable external access entirely if not required for business operations.
2. **Enable MFA with FIDO2:** Transition from SMS/Push notifications to hardware security keys or certificate-based authentication to prevent "MFA fatigue" attacks.
3. **Implement Conditional Access (CA):** Create policies that require compliant, managed devices for any access to Teams and Microsoft 365 resources.
4. **Review IT Staff Identity:** Ensure IT support staff have distinct, verifiable profiles (e.g., standard avatars or specific naming conventions) and remind users that IT will never ask for passwords via chat.
### Short-term Improvements (1-3 months)
1. **Deploy Communication Compliance Policies:** Use Microsoft Purview to scan for sensitive information sharing or suspicious links within Teams chats.
2. **External Access Alerts:** Configure alerts in the Microsoft 365 Defender portal to notify security teams when a user initiates a chat with a previously unknown external entity.
3. **Advanced Phishing Simulations:** Update awareness training to include "smishing" and "Teams-phishing" scenarios, specifically simulating the "Hi, this is IT" lure.
### Long-term Strategy (3+ months)
1. **Zero Trust Architecture:** Pivot to a model where "identity is the new perimeter," ensuring every Teams session is continuously verified based on device health, location, and behavior.
2. **Identity Governance:** Implement regular Access Reviews to ensure external guests and former employees have their access revoked automatically.
## Implementation Guidance
### For Small Organizations
- **Focus on Defaults:** Disable "External Access" in the Teams Admin Center unless explicitly needed.
- **Security Defaults:** Enable Microsoft Security Defaults to ensure basic MFA is enforced for all users globally.
### For Medium Organizations
- **Domain Allow-listing:** Create an "Allow List" of trusted partner domains in the Teams Admin Center rather than leaving it open to "All external domains."
- **Managed Devices:** Use Microsoft Intune to ensure only company-approved laptops and mobile devices can sign in to Teams.
### For Large Enterprises
- **Cross-Tenant Synchronization:** Use granular B2B direct connect settings for trusted subsidiaries while blocking all other external communications.
- **SIEM Integration:** Export Teams activity logs (via Office 365 Management Activity API) to a SIEM (like Cortex XSIAM or Sentinel) to hunt for anomalous login patterns or mass file downloads.
## Configuration Examples
**Teams Admin Center - External Access:**
- *Path:* Users > External Access
- *Setting:* Set "Choose which domains your users have access to" to **"Allow only specific external domains."**
- *Setting:* Toggle **OFF** "Users can communicate with Skype users."
**Microsoft Entra (Azure AD) - Conditional Access:**
- *Condition:* Cloud Apps > Include "Microsoft Teams."
- *Grant:* "Require multi-factor authentication" AND "Require device to be marked as compliant."
## Compliance Alignment
- **NIST CSF:** PR.AC-1 (Access Control) and PR.AT-1 (Security Awareness).
- **CIS Controls:** Control 6 (Access Control Management) and Control 14 (Security Awareness and Skills Training).
- **ISO/IEC 27001:** Annex A.9.2 (User Access Management).
## Common Pitfalls to Avoid
- **The "Open by Default" Trap:** Assuming Teams is internal-only. Many organizations don't realize that, by default, any Teams user in the world can message their employees.
- **MFA Complacency:** Relying on simple push notifications which are susceptible to "MFA exhaustion" (where an attacker spams the user until they click "Approve").
- **Ignoring Mobile:** Failing to apply the same security rigors to the Teams mobile app as the desktop version.
## Resources
- **Microsoft Teams Security Guide:** hxxps[://]learn[.]microsoft[.]com/en-us/microsoftteams/teams-security-guide
- **Unit 42 Threat Research:** hxxps[://]unit42[.]paloaltonetworks[.]com/
- **CISA Social Engineering Guidance:** hxxps[://]www[.]cisa[.]gov/resources-tools/resources/social-engineering-best-practices