Business Email Compromise on Microsoft Teams
Once attackers gain access to a corporate account, they extend business email compromise into Microsoft Teams chats to issue urgent payment instructions that feel internal and trusted.
Part of: Business Email Compromise (BEC)
Last reviewed: 1 June 2026
Microsoft Teams sits at the centre of many organisations' daily communication, and staff tend to treat a message there as inherently internal and trustworthy. Attackers who have compromised a single account use that trust to push fraudulent payment or data requests through chat, where verification habits are weaker than in email.
Because Teams ties messages to a recognised name and profile photo, a compromised or impersonated account can issue instructions that feel like they come from a real colleague. The informal, fast-moving nature of chat encourages quick action without the checks normally applied to financial decisions.
How this scam works on Microsoft Teams
After breaching one account, an attacker reviews existing Teams conversations to learn names, projects, and reporting lines. They then message finance or operations staff posing as an executive or a familiar vendor contact, often continuing a thread that already exists to appear legitimate.
The request mirrors classic business email compromise: an urgent transfer, a change of payment details, or the disclosure of confidential records. The chat format adds pressure, because replies are expected immediately and there is little time to reflect. Attackers may also use external-guest access to message staff from outside the organisation.
If a staff member complies, the payment is routed to a criminal-controlled account. Because the instruction came through an internal tool, suspicion is often lower and discovery is delayed until reconciliation or a supplier query exposes the loss.
Common red flags
- An executive or colleague suddenly requests a payment through chat rather than normal channels
- A message from an external guest account impersonating a known contact
- Pressure to act immediately without following payment-approval steps
- Requests to keep the transaction confidential from other team members
- A familiar name paired with slightly unusual phrasing or behaviour
- Instructions to change supplier bank details delivered only via chat
How to protect yourself
- Treat payment instructions received only through chat as unverified
- Confirm any financial request by calling the person on a known number
- Restrict or clearly label external-guest access within Teams
- Enforce multi-factor authentication on all accounts that access Teams
- Require finance approvals to follow the same process regardless of channel
- Educate staff that internal tools can still carry impersonated messages
How to report it
- Report the compromised or impersonating account to your IT security team
- Notify your national cybercrime or fraud reporting centre
- Contact your bank at once if any payment was sent
Frequently asked questions
If a message comes through Teams, does that prove it is from a real colleague?
No. A message can come from a compromised internal account or an external guest impersonating a known person. The platform confirms which account sent it, not whether that account is genuinely controlled by the person it claims to be. Verify financial requests separately.