Deepfake Microsoft Teams Executive Video Scam
Criminals use AI-generated video to impersonate Microsoft executives or IT administrators in Teams meetings, instructing employees to transfer funds, share credentials, or install remote-access software.
Part of: Deepfake Video Call Scams
Last reviewed: 8 June 2026
Microsoft Teams is central to how millions of organisations communicate. Because Teams meetings are trusted by default — employees expect to see colleagues and management there — a deepfake video call conducted within the Teams environment can be extraordinarily convincing.
Attackers first compromise or spoof a Microsoft 365 account belonging to a known executive or IT administrator, then invite a target employee to a Teams call. On the call, an AI-generated video of the spoofed person appears alongside a live audio feed, instructing the victim to perform a sensitive action urgently.
The instruction typically involves approving a financial transfer, resetting a password for an 'urgent project', or downloading a piece of software that turns out to be remote-access malware. Because the face and voice match someone the victim knows, the psychological resistance to compliance is significantly reduced.
How this scam works on the Microsoft brand
Microsoft uses Teams for legitimate executive communications and IT support. Real Microsoft IT requests follow a documented change-management process and do not require employees to act outside approved ticketing systems during an unscheduled call.
The scam begins with a calendar invitation from a compromised or lookalike Microsoft 365 account. When the victim joins, the deepfake video shows the impersonated executive in what appears to be a normal office setting. The audio voice delivers the fraudulent instruction with the naturalness of a real conversation.
Common requests include: transferring budget to an 'emergency vendor account', sharing a temporary admin password, or clicking a link in the Teams chat to download a 'required update'. Victims who hesitate are met with increasing pressure and told the matter is confidential and time-sensitive.
Common red flags
- The video shows very limited head movement, eyes that do not track naturally, or a blurring boundary around the face.
- The meeting was scheduled with very short notice and labelled urgent or confidential.
- The caller asks you to act outside normal company procedures — approving transfers or sharing credentials without a ticket.
- Audio occasionally desynchronises from lip movement, or the voice has an unnatural flat quality.
- The Teams account sending the invite has a display name or email slightly different from the real person's.
- You are asked to keep the discussion secret from your manager or compliance team.
How to protect yourself
- Verify any unexpected urgent request from a 'manager' by calling them back on a known number — never rely solely on a Teams message.
- Ask the caller a personal verification question whose answer an impersonator is unlikely to know.
- Your organisation should enforce multi-person approval for financial transfers, so no single Teams call can authorise a payment.
- Report suspicious meeting invitations to your IT security team immediately rather than joining alone.
- Keep Microsoft Teams and the underlying Microsoft 365 tenant configured with conditional-access policies and phishing-resistant MFA.
- Enable Teams meeting lobby controls so external callers cannot join without explicit admission.
How to report it
- Report suspicious Microsoft 365 account activity through your tenant's admin portal or at microsoft.com/en-us/security.
- Report financial fraud to your national authority — FTC ReportFraud.ftc.gov (US), Action Fraud actionfraud.police.uk (UK).
- If company funds were transferred, contact your bank's fraud team immediately and file a report with the FBI IC3 at ic3.gov.
- Report the spoofed Microsoft 365 account to Microsoft's abuse team at [email protected].
Frequently asked questions
Can I trust that a person in a Teams video call is really who they appear to be?
Not automatically. Deepfake video technology can render convincing likenesses in real time. For high-stakes requests, always verify through a separate communication channel such as a direct phone call to a known number.
What technical signs indicate a deepfake video on Teams?
Look for unnatural blinking patterns, a slight halo or blur at the hairline and ear boundary, lighting that does not quite match the background, and lip movements that lag the audio by a fraction of a second.
What should my company do if an employee fell for this scam?
Contact your bank immediately if any transfer was made, preserve all Teams logs and invite data for investigation, reset credentials of any account that was shared, and report to law enforcement and Microsoft.