Vendor Email Compromise on Microsoft Teams
After breaching a vendor account, attackers extend invoice fraud into shared Microsoft Teams channels, sending manipulated invoices and payment-change requests that look internal.
Part of: Vendor Email Compromise (BEC) Invoice Fraud
Last reviewed: 1 June 2026
Many companies collaborate with suppliers directly inside Microsoft Teams through shared channels and guest access. When an attacker compromises a vendor's account, that same collaboration space becomes a trusted route for delivering fraudulent invoices and bank-change requests.
Because the messages appear under the real vendor contact's name within an established channel, they inherit the trust of an ongoing working relationship. The speed and informality of chat further reduce the verification that a formal invoice email might prompt.
How this scam works on Microsoft Teams
Having taken over the vendor's account, the attacker uses its access to shared Teams channels to study active projects and payment schedules. They then post or message a manipulated invoice or a request to update banking details, framed as routine vendor admin.
The request continues normal collaboration patterns, so finance or project staff treat it as legitimate. The chat context discourages a formal check, and the genuine vendor identity removes the usual suspicion attached to new payment details.
When the customer pays the altered invoice or updates the banking record, funds flow to the criminal. The fraud often spans the period the vendor account remains compromised and is discovered only when the supplier reconciles unpaid invoices.
Common red flags
- A vendor contact requesting a bank-detail change through a Teams channel
- An invoice shared in chat that differs from previous versions
- Payment instructions delivered casually rather than through formal billing
- A vendor account behaving or writing differently than usual
- Pressure to settle quickly to a newly provided account
- Reluctance to confirm the change in a phone call
How to protect yourself
- Verify any bank-detail change by phone with a known vendor contact
- Treat invoices shared via chat with the same scrutiny as emailed ones
- Require dual authorisation for changes to supplier records
- Restrict and review external-guest access in shared channels
- Encourage vendors to protect accounts with multi-factor authentication
- Confirm the first payment to any new account before continuing
How to report it
- Report the compromised vendor account to your IT security team
- File a report with your national cybercrime or fraud centre
- Notify your bank and the vendor without delay
Frequently asked questions
Our vendor sent a new invoice in a shared Teams channel. Can we trust it?
Treat it like any other invoice. If the vendor's account is compromised, fraudulent invoices and bank-change requests can appear under their real name in chat. Confirm any new payment details by phone with a known contact before paying.