Microsoft Teams Security Attack Matrix

In Microsoft Teams – “Attackers didn’t break in — they joined the meeting…”

Welcome to the frontline of enterprise collaboration compromise: Microsoft Teams. Once just a chat app, now a sprawling hub for files, apps, identities, secrets… and attackers. In this age of hybrid work, Microsoft Teams is no longer a soft target. It’s a high-value kill zone.

Why is Teams a Target? 

Microsoft Teams has evolved into an identity rich communications platform that integrates deeply with SharePoint, OneDrive, Exchange Online, Entra ID, and a growing list of third-party applications. It’s where decisions are made, credentials are dropped, tokens flow, and sensitive documents are shared without a second thought.

And guess what? Attackers know this. They’re not just brute forcing endpoints anymore, they’re pivoting through shared channels, harvesting OAuth tokens, and embedding malicious bots that blend into daily workflows. Microsoft Teams is becoming the new lateral movement highway, especially in enterprises that underestimate its threat surface.

Recently, I published the Microsoft Teams Attack Matrix, a light version with some thoughts from the field (security testing, cyber incidents, and more). After a while, it’s had some insightful comments.

A personal thought on the Cloud Attack Matrix

As a security researcher, red teamer mindset, and incident responder, I don’t just reference the Cloud Matrix —
I live in it. It helps me map real adversary behavior across Microsoft 365, GWS, Azure, AWS, and GCP.

As a researcher, it helps me decode attacks and persistence in cloud control planes, turning undocumented attacks into structured TTPs.

As a red teamer mindset, it gives me the playbook to simulate real-world attacks from abusing to backdooring and exploiting.

As an IR, it’s how I pivot, fast-mapping actions and events directly to unknown and new tactics.

But the real power? It’s a mindset shift. With logic, technique, and flow, you can start seeing the cloud not as a black box but as an attack surface. And as I always say, “I’m living off the Cloud, not the land.”

To bring structure to this chaotic frontier, researchers have begun mapping out the Microsoft Teams Attack Matrix—a tailored framework inspired by MITRE ATT&CK, but with Teams as the central battleground.

Exploiting Microsoft Teams as an entry point and lateral movement vector, the Microsoft Teams Attack Matrix emerges as a precision-built framework, mapping techniques like malicious app sideloading, OAuth token hijacking, external tenant abuse, and command injection via bots, transforming Teams from a collaboration tool into an actively contested attack surface.

This matrix breaks down attacks across:

• Reconnaissance (finding meetings, exposed links, shared files – internal and external)

• Initial Access (phishing invites, token hijacking, app consent, Teams app exploitation)

• Discovery (API enumeration of users, roles, and files)

• Persistence (OAuth refresh tokens, Teams policy manipulation, etc.)

• Lateral Movement (shared channel hopping, bot abuse, etc.)

• Exfiltrate (Teams chat scraping, SharePoint sync, etc.)

• Command & Control (messages and meetings as covert channels, etc.)

Note: The following matrix is the light version of the Microsoft Teams Attack Matrix. 

Reconnaissance

Attackers operate in passive and active recon modes to map Microsoft Teams environments before any real exploitation begins.

Enumerate Teams URLs

Attackers guess or bruteforce valid tenant URLs teams.microsoft.com/l/tenant-id/meetup-join/to identify orgs. Many orgs expose Join meeting pages publicly. Attackers can infer tenant names, logos, and Teams subdomain structure.

Tooling: Automated tools can use Graph API /organization with tokens or scrape URLs for metadata.

Scan for Open Meetings

Attackers test for meetings without authentication required. “Anonymous join” settings — often enabled for vendors or webinars — let external users access video, audio, and chat without logging in.

Real-world: If chat is enabled, attackers can drop phishing links or C2 beacons mid-meeting.

External Teams Enumeration

Using Microsoft Teams federation (external access), an attacker with any M365 account can try to message [email protected]. If the org allows federation, responses (like presence or NDRs) leak info.

Detection Tip: Look for Teams messages from unknown domains with repeated targeting patterns.

Search for Public Teams

Some Teams are (mistakenly) configured as public. Anyone with a link or access to the tenant can join. These Teams may contain open channels, files, and internal discussions.

Example: Public Teams used for community support or onboarding can be indexed via search engines.

Collect Meeting Metadata

Adversaries who gain access (via stolen accounts or guest access) can scrape calendars, meeting titles, descriptions, and participant lists. This is useful for social engineering or chaining attacks.

API: Microsoft Graph /me/events or /users/{id}/calendar leaks calendar intel.

---

Phishing via Teams Links/Invites

Attacker Logic: Instead of email-based phishing, attackers exploit the trusted UI of Microsoft Teams. The attack uses:

• Fake meeting invites (calendar-based)

• Direct chat messages with malicious links

• External federation messages from a compromised org

The messages often impersonate IT, HR, or executives to increase click-through.

Red Team View:

• Use a compromised external tenant to send invites with payloads (e.g., hosted on fake SharePoint).

• Host malicious tabs or apps within Teams itself using teams.microsoft.com/_.

Defender Response:

• Disable external federation if not needed.

• Inspect Meeting Join links in audit logs.

• Enforce Safe Links in Teams messages.

Token Theft from Teams Web Sessions

Attacker Logic: Modern browsers store session tokens like:

• authtoken – used for Graph API.

• skypetoken – used by legacy Teams APIs (chat, presence).

• Bearer Tokens – standard OAuth JWTs.

• Attackers exfil tokens via:

  • Infostealers (RedLine, Raccoon, etc.).

  • XSS payloads are injected via SharePoint tabs or phishing pages.

  • Malicious browser extensions.

Red Team View: Steal tokens from a victim’s browser and replay them using curl or Postman against:

• https://graph.microsoft.com/v1.0/me/chats

• https://teams.microsoft.com/api/mt/… endpoints

Brute-force Teams login (via EID)

Attacker Logic: Most orgs use predictable email naming patterns: [email protected], [email protected].

• Attackers run password spray attacks via:

  • Basic authentication (SMTP, IMAP)

  • Modern auth endpoints (/common/oauth2/token)

• AAD doesn’t block based on IP — attackers rotate proxies and go slow.

Red Team View:

• Use tools like o365spray, MSOLSpray, or custom scripts to:

  • Enumerate valid usernames (Autodiscover, Teams federation probing)

  • Spray against login.microsoftonline.com

OAuth App Consent Grant Phishing

Attacker Logic: The Attacker creates a malicious Azure app and sends a link to users:

• The user is prompted to “Accept” the app. Once done, the app has delegated or app-level access to the Graph API.

Red Team View:

• App scopes like Files.Read.All, User.ReadWrite.All, Chat.Read can pull Teams content, chats, and files silently.

• App can persist via refresh tokens.

MFA Bypass via Legacy Authentication

Attacker Logic:

• Protocols like IMAP, POP3, SMTP AUTH, and even legacy PowerShell modules don’t support modern MFA.

• If a Teams-connected user (via Exchange or SharePoint) has legacy auth enabled, attackers bypass MFA.

Red Team View:

• Target these endpoints:

  • outlook.office365.com

  • smtp.office365.com

  • login.microsoftonline.com with Basic Auth headers

---

Discovery

Post-access enumeration — attackers use this stage to map out internal attack paths.

Enumerate Teams / Channels / Members

Once authenticated, /groups and /teams Graph API endpoints return group IDs, channel names, members, and roles.

Useful: Identify owners vs guests, file-sharing patterns, and channel visibility.

Enumerate Permissions / Roles via Graph API

Attackers inspect directoryRoles (/directoryRoles) and permissions assigned to users/apps to identify privilege escalation paths.

Example: “Teams Service Admin” can manage apps and bots across org.

Discover External Access and Guest Settings

Graph endpoint /organization and /settings reveal whether external users are allowed, if guest access is enabled, and which domains are trusted.

Pivot Point: Guest access opens lateral movement options into partner orgs.

Detect Files Shared in Public Channels

Attackers list files from Teams channels using /drives/{id}/root/children. Public channels often expose sensitive files, and default retention policies may not clean them up.

Identify Teams-integrated Apps and Bots

Apps installed across Teams are listed via /teams/{id}/installedApps. This reveals connected SaaS tools, internal bots, or third-party integrations — all potential pivots.

---

Persistence

Once in, attackers aim to stay in quietly.

Malicious Teams App Registration

Register a Teams app with malicious tabs or bots. Once installed org-wide, it acts with the defined permissions, which may include full Graph access.

Stealth: Admins rarely audit internal apps once approved.

Persist via OAuth Refresh Token

OAuth tokens come with refresh tokens, which attackers can reuse indefinitely unless revoked. MFA bypassed.

Token Abuse: You don’t need the password again — just keep refreshing.

Add Malicious Guest Account

An attacker controlling a tenant can invite their user to another org, becoming a guest in victim’s Teams. Access persists even if the original compromise is lost.

Modify Teams Policies (via Graph)

If permissions allow, attackers modify message retention, file sharing, or app policies to weaken defenses.

Example: Disabling file upload restrictions to ease exfiltration.

Abuse Teams Admin Role

With elevated roles viadirectoryRoles, attackers can create users, install apps, export data, and set policies. Complete control.

---

Lateral Movement

Once inside, the attacker shifts focus from compromise to expansion — seeking other users, connected tenants, or services to control. Lateral movement in Microsoft Teams isn’t just hopping from user to user. It includes tenant-to-tenant movement, cross-service abuse, and leveraging automation or identity chaining to escalate silently.

Access Shared Channels Across Tenants

Microsoft Teams allows cross-tenant shared channels using Entra ID B2B Direct Connect. These are powerful for collaboration, but incredibly risky when abused.
If two tenants are linked via a shared channel and one is compromised, the attacker can move laterally into the other, often without needing to authenticate again.
Permissions from the guest tenant propagate into the shared space. Attackers gain a foothold in both environments if the compromised identity has write or admin permissions in the shared channel.

Attacker actions:

• Browse Teams and channels across both tenants

• Enumerate membership and owners

• Drop payloads or exfil data using Teams APIs

Defensive actions:

• Audit all shared channels regularly

• Disable or tightly restrict B2B Direct Connect

• Use Conditional Access with tenant restrictions

Compromised Account Access to Other Tenants

Many users belong to multiple Microsoft 365 tenants as guests, especially consultants, suppliers, and IT staff.
Once an attacker compromises a single user, they use the Graph API to check which tenants the account is joined to:
GET /me/joinedTeams returns a list of all Teams across all tenants the user can access.
From there, the attacker enumerates channels, chats, and files. If permissions are loose, they can drop malware, harvest data, or escalate further depending on roles.

Attacker actions:

• Dump all Teams IDs with /me/joinedTeams

• Cycle through tenants using the Authorization header with different tokens

• Target users and apps in other tenants

Abuse Teams Bot with Tenant-wide Access

Bots integrated into Teams often run with excessive permissions:

• Chat.ReadWrite.All

• Files.ReadWrite.All

• TeamsActivity.Send

These bots are typically service principals with their own credentials, tokens, or secret keys.
If compromised, they provide an attacker with silent, long-term access.
Bots can read messages, impersonate users, modify files, and even send new messages or commands.

Attacker actions:

• Discover bots with /teams/{id}/installedApps

• Extract bot tokens or secrets from local config or cloud storage

• Use bot credentials to operate in stealth

Teams Connector Abuse in Power Automate

Power Automate connectors for Teams provide automation capabilities: sending messages, creating meetings, and interacting with files.
If a flow is misconfigured, overly permissive, or created by a compromised user, attackers can use it to move laterally or exfiltrate data.
Flows run with the identity of the user who created them, which means they inherit the user’s Teams permissions.

Attacker actions:

• Discover or modify flows via Power Automate UI or Graph API

• Inject malicious logic (auto-forward messages, export files)

• Use connector steps to write to other services (Gmail, Dropbox, etc.)

Move Laterally via Teams-connected Services

Microsoft Teams is not isolated. It’s tightly integrated with SharePoint, OneDrive, Exchange Online, Azure DevOps, Viva, and more.
When users are compromised, their OAuth tokens or delegated permissions often extend into these other platforms.
For example:

• A file shared in Teams might be hosted in SharePoint

• A bot integrated with Teams might also manage data in Azure or Power BI

• Viva Insights might hold sensitive context that can be mined

Attackers leverage these integrations to find new paths, extract more data, and elevate their privileges by switching contexts.

Attacker actions:

• Use the same token to call other Microsoft APIs (SharePoint, Outlook, Graph)

• Look for connected services in Graph /subscriptions or via known integrations

• Pivot across services to escalate — e.g., from Teams to SharePoint

---

Exfiltration

At this point, the attacker has access, and the priority becomes data theft. The methods vary from silent API abuse to old-school screen sharing. They’re not always flashy, but they’re effective. Whether it’s intellectual property, sensitive conversations, credentials, or strategy decks, Teams is a goldmine.

Download Shared Chat Files

Every file shared in a Teams chat or channel is backed by SharePoint or OneDrive, depending on where it originated. When a user drops a file into a conversation, it can be retrieved via the Teams GUI or the Graph API.
Attackers with valid session tokens or Graph access can iterate over channels or chats, pulling down shared documents, media, exports, and cached credentials, without triggering download alerts.

Attacker actions:

• Enumerate chats: /me/chats

• Iterate messages: /chats/{id}/messages

• Scrape attachments and download via the generated links

Why it’s dangerous:

• Files are often unlabeled, with no classification or DLP applied

• Downloading a hundred files via API looks like a sync job, not theft

Use SharePoint Links from Teams for Staging

When uploaded in Teams, files are stored in SharePoint or OneDrive, depending on the context (channel vs. 1:1 chat). Attackers abuse this behavior to:

• Stage payloads for later access (e.g., a malicious PowerShell script)

• Use public or “anyone with a link” sharing to pull data from outside

• Chain attacks by embedding these links in phishing messages to others inside or outside the org

Attacker actions:

• Upload tools or stolen data to SharePoint via Graph or the Teams UI

• Generate shareable links

• Download from attacker-controlled infrastructure or third-party clients

Why it works:

• Teams users rarely notice who shared what, or where files are hosted

• DLP is often blind to publicly shared files created from Teams

Sync Teams Files to External Cloud

This is as simple as opening OneDrive or SharePoint in a browser and linking it to Dropbox, Box, or Google Drive. Once mounted, files synced to Teams or SharePoint can be dragged into these external systems without triggering inline DLP (unless CASB or browser isolation is in place).
Even with session control, attackers who operate from a device with native access (compromised user or endpoint) can perform drag-and-drop syncs.

Attacker actions:

• Use browser extensions to move files across cloud accounts

• Mount OneDrive alongside Dropbox using web clients

• Leverage unmanaged browsers to sync files without device controls

Use Teams API to Mass-export Data

The Microsoft Graph API allows for full, authenticated access to Teams content:

• /me/chats to enumerate conversations

• /teams/{id}/channels to list all public channels

• /channels/{id}/messages to pull the message history
  Attackers automate this to exfiltrate messages, attachments, mentions, and sentiment data.
  This export can be done quietly and quickly with app-based or delegated permission.

Attacker actions:

• Use stolen refresh tokens or OAuth app access

• Script export of messages and attachments

• Pull out sensitive data at scale and upload to the attacker’s infrastructure

Why it’s fast:

• The Graph API is designed for speed and bulk operations

• With Chat.Read.All or ChannelMessage.Read.All, attackers can exfiltrate massive volumes silently

Exfil Data via Screen Sharing or Meetings

When everything else is blocked, attackers fall back to the most analog option: screen sharing. In active meetings — especially unsupervised or external-facing ones — attackers can open sensitive files, screen share them, or use remote control features (like Teams support sessions) to extract data manually.
In hybrid and remote orgs, this goes largely undetected.

Attacker actions:

• Join scheduled meetings or create fake ones

• Share screen with sensitive documents open

• Record session or allow remote access from an external endpoint

Why it’s overlooked:

• Meeting activity isn’t always monitored

• Screen sharing is a trusted behavior

• No logs of what was actually shared — just that screen share occurred

---

Command & Control (C2)

You’ve compromised the user. Mapped the terrain. Now it’s time to control the battlefield from the inside.
Teams isn’t just a collaboration tool — it’s a stealth-grade C2 channel built into every enterprise.
And no one’s watching.

Use Teams Messages as a C2 Channel

There is no need for implants that are beaconing to shady IPs. You send your commands via chat. Base64-encoded payloads? YAML configs? Encrypted tasking? All hidden inside “quick updates,” unsuspecting users or bots. The attacker waits for replies, embedded inside a Teams thread that looks like routine operational chatter.
There are no AV signatures, outbound network alerts, or DNS logs. Just a Teams message.
It’s C2 in business casual.

Operator insight:

• Fire off encoded tasking to a compromised bot

• Collect execution output as replies, disguised as emojis, JSON, or “test logs”

• Rotate channels and threads to avoid static detection

Exfil via Teams Webhook or Chat Messages

Forget DNS tunneling. You’ve got a webhook. Data exfiltration happens in chunks uploaded to a Teams webhook URL tied to a dummy channel.
You don’t need to drop a beacon when the organization lets you send data from inside.
Webhooks are loosely monitored, rarely revoked, and blend into regular app telemetry.

Payload method:

• Chunk sensitive data

• Base64 encode and send to a Teams channel via webhook

• Or push into a Teams chat message where only your C2 bot is listening

Bonus: Combine this with message edits or deletions to erase the traces.

Embed Payloads in Scheduled Meetings

Persistence meets payload delivery. You create recurring meetings with “resource links” in the description. That link? It’s a callback domain. Or a self-extracting payload. Every Monday at “x AM”, the user opens their calendar. The connection is re-established. You’ve embedded your C2 inside the collaboration rhythm.

What makes this brutal:

• Users don’t question recurring internal meetings

• Most orgs don’t audit meeting descriptions

• URLs are live, clickable, and open in the default browser

Execution tip: Host payloads on compromised SharePoint or use redirectors to avoid reputation flags.

Long-lived Session Control via Bot Integration

Bots are the overlooked backdoor. They live in tenants with persistent tokens, high scopes (Chat.ReadWrite.All, Files.Read.All), and almost no oversight.
When you compromise a bot or register one yourself, you inherit uninterrupted control over Teams data. Users can be removed, credentials can be reset, but the bot stays alive.

Operational use:

• Maintain presence with app secrets and refresh tokens

• Rotate access through bot tasks instead of user credentials

• Use Teams UI to disguise bot behavior as automation

This isn’t malware. It’s SaaS-native persistence with full access.

Communicate via Teams Bots with Attacker Infra

You want full-duplex comms from inside the tenant to your own cloud infrastructure? Write a Teams bot that listens for commands and replies to attacker infrastructure via HTTPS. It’s just a “helpdesk assistant,” right? Wrong — it’s your internal RAT. With Teams APIs and bot framework, you’ve created C2-as-a-Service, fully integrated with Microsoft 365.

How it works:

• Register the bot in Azure AD with elevated scopes

• Wire bot logic to respond to messages or events

• Proxy tasking to attacker-hosted services via outbound webhook

---

Reconnaissance — The Silent Breach – Scenario

Before the payload, before the token theft, and before the lateral movement comes reconnaissance. In the Microsoft Teams ecosystem, reconnaissance isn’t noisy—it doesn’t need to be. It’s subtle, stealthy, and devastatingly effective.

Why Recon Matters in Teams

Every attacker needs a map. In Microsoft Teams, that map comprises meeting links, team names, channel structures, user roles, and external access configurations. The problem? Most of this information is exposed—or easily inferred—with little to no authentication.

You can enumerate or brute-force meeting links, especially if organizations don’t enforce strict access controls or guest restrictions. Tools and scripts can automate this discovery, turning exposed links into entry points for social engineering or information gathering.

In this stage, we’re not talking about abusing exploits but about abusing features.

Recon Techniques in Microsoft Teams – Meeting Link Enumeration

Teams meeting URLs follow predictable patterns. An attacker can brute force or scrape for links using tools like the following:

https://teams.microsoft.com/l/meetup-join/19%3ameeting_<unique_id>@thread.v2

Meeting Link Validation & Metadata Detection on Elli’s GitHub

Insights & tips:

• Found a valid link? If anonymous join is enabled, they’re already in your digital war room.
• The attached script is for a specific Teams meeting ID only.
• You can scrape teams.live.com for potential ones.
• As you know, recon can take minutes, hours, or several days.
• You can passively map active meetings, executives’ calendars, or recurring org-wide meetings.
• If you join a meeting silently or impersonate a user, they can gather intel, record sensitive discussions, or disrupt internal communication.
• If internal meeting links are shared in chats or documents, compromising a user account may allow attackers to pivot through calendar-based meeting invites or bot interactions.
• Ideal for red teamers creating realistic pretexts by targeting meetings tied to specific organizations, teams, projects, or execs – you can isolate the url meeting.
• This attack is called “Meeting Link Enumeration.” It is a form of cloud-based reconnaissance or URL Enumeration attack. It can also be SaaS resource discovery or URL brute forcing.

In this method, recon is invisible. Your SOC won’t catch someone viewing a public event or scraping a Teams link they found on GitHub. If you’re not hardening meeting policy, monitoring Teams sharing, link exposure, and app consents, you’re blind.

Summary

Microsoft Teams isn’t just a chat app. It’s a fully integrated, identity-driven collaboration platform that now plays a central role in corporate operations. That also makes it a prime target. Attackers exploit it not just for access but also for persistence, pivoting, exfiltration, and command and control, all from inside a trusted platform.

So, how to mitigate those attacks? In the next post.