Cybersecurity researchers say the criminal group known as KongTuke has started using Microsoft Teams as an intrusion vector to compromise corporate environments and gain initial access to organizations. The report was published by BleepingComputer.
According to the researchers, the attackers are exploiting the high level of trust many companies place in workplace collaboration platforms. Instead of relying only on traditional phishing emails, KongTuke now contacts employees directly through Microsoft Teams messages that appear to come from internal IT or support staff.
This technique is especially dangerous because many organizations treat Teams as a safe environment by default. Users are more likely to lower their guard when a message arrives through a familiar corporate platform, particularly if the sender appears to belong to technical support.
The observed campaign relies on carefully staged social engineering. In some cases, the attackers persuade employees to launch remote-access tools or accept external sessions that end up giving operators partial control over compromised systems. Once inside the network, they move laterally, steal credentials, and deploy additional malware.
The case reflects an important change in modern intrusion tactics. As anti-spam filters and email defenses improve, criminal groups are shifting toward enterprise collaboration platforms such as Teams, Slack, and business messaging tools to bypass traditional controls.
Specialists warn that remote work and hybrid environments have dramatically expanded the attack surface for this type of campaign. Collaboration platforms now give direct access to employees, internal documents, meetings, calendars, and sensitive communication channels.
The use of legitimate tools also makes detection much harder. From a technical standpoint, many of these actions look like ordinary corporate traffic, forcing SOC teams to rely more heavily on behavior analysis and contextual signals.
The incident is another reminder that social engineering remains one of the most effective weapons in modern cybercrime. Even organizations with mature infrastructure can be exposed if an attacker successfully manipulates an employee with internal access.
Researchers also note that criminal groups and state-backed operators are increasingly combining automation, artificial intelligence, and advanced manipulation techniques to make campaigns more convincing and harder to detect.
For many companies, the challenge is no longer limited to protecting servers and firewalls. It also includes securing the digital spaces where employees work every day.