Attackers are calling your staff on Microsoft Teams, claiming to be from IT support, and convincing them to hand over access to your systems. This is not a theoretical risk. It is happening to London businesses right now, and it is working.
Teams-based helpdesk scams have become one of the most effective social engineering techniques in use today, largely because they exploit the trust your staff place in your IT team. If your organisation uses Microsoft Teams as a primary communication tool and has not specifically addressed this threat, you are vulnerable.
According to the UK Government’s Cyber Security Breaches Survey 2025, social engineering, which includes impersonation and pretexting, is the technique behind the majority of successful UK cyberattacks. The shift to Teams as a collaboration platform has simply given attackers a new and credible channel to use.
If you are working with a managed it support services company and are not sure whether this is something they are monitoring for, this article will help you understand exactly what you are dealing with and what to do about it.
What Is a Teams Helpdesk Scam?
A Teams helpdesk scam involves an attacker contacting one of your employees through Microsoft Teams, posing as a member of your internal IT team or helpdesk. The attacker will typically claim there is a security incident, an account issue, or a software problem that needs immediate attention.
From there, the social engineering takes different forms depending on what the attacker is after.
In some cases, they ask the employee to share their screen so they can “diagnose the issue,” giving the attacker a live view of systems and data. In others, they ask the employee to approve a multi-factor authentication prompt, provide a one-time code, or install a remote access tool. In the most damaging cases, they use the call to convince the employee to reset their own password to something the attacker has provided.
What makes this so effective is that Teams conversations feel internal and trusted. Employees who would be cautious with an email from an unknown address are often much less guarded in Teams, particularly when someone uses the right terminology, references real internal systems, and sounds confident.
Microsoft’s own research has documented a threat actor known as Storm-1811 using precisely this technique, sending Teams messages from compromised external accounts and making voice calls through Teams to pressure targets into granting access. This is not a fringe attack. It is organised and deliberate.
Why Teams Makes Social Engineering So Easy
Teams has become the default communication channel for a huge proportion of UK businesses. It is where staff expect to receive messages from colleagues, announcements from leadership, and yes, updates from IT support.
Attackers know this. A message arriving in Teams carries an implicit credibility that a cold email simply does not. If the attacker is using a compromised account from another company in your supply chain or partner network, the message appears to come from a real Teams user, complete with a profile picture and conversation history.
The pressure dynamic also works in the attacker’s favour. A Teams call or message framed as an urgent security issue puts the recipient in a reactive state. Staff are trained to cooperate with IT, to respond quickly to alerts, and not to slow down security processes. Attackers exploit exactly this instinct.
This is why business email compromise training, while valuable, is no longer sufficient on its own. The threat has moved channels, and your training needs to move with it.
How Attackers Get Into Your Teams Environment
Before an attacker can message your staff from inside Teams, they often need a foothold. That foothold usually comes from one of three places.
The first is a compromised account in your own organisation. If a staff member’s credentials have already been stolen, attackers can use that account to contact colleagues internally, with full legitimacy.
The second is a compromised account from an external organisation. Teams allows communication between tenants, so an attacker with access to a supplier’s or partner’s account can reach your staff through external federation.
The third is a malicious Teams invite. Some attackers send meeting invites or chat requests that appear to come from Microsoft support or a trusted brand, using tenant names designed to look plausible.
In each case, understanding whether your staff credentials have already been exposed is the first step. A dark web monitoring london service will alert you if your employees’ login details surface on underground forums, giving you the chance to respond before attackers can exploit them.
You can read our post on the crucial role of dark web monitoring for stolen company login credentials and our guide on what to do if your company credentials appear on the dark web for practical next steps. Our post on employee credentials on the dark web is also worth reading if you have not considered this risk before.
Warning Signs Your Staff Should Know
Equipping your team to recognise a Teams helpdesk scam is one of the most practical things you can do. The warning signs below should form part of any staff awareness session.
| Warning Sign | What It Might Mean |
|---|---|
| Unsolicited contact claiming to be IT support | Possible impersonation attempt |
| Urgency and pressure to act immediately | Classic social engineering tactic |
| Request to approve an MFA prompt you did not initiate | Likely MFA bypass attempt |
| Request to install remote access software | Possible attacker seeking system access |
| Request to share your screen | Attacker looking to observe credentials or data |
| External Teams account posing as internal IT | Compromised partner account being abused |
| Message from “Microsoft Support” via Teams | Microsoft does not contact users this way |
| Request to reset your password to a specific value | Credential theft in progress |
Training staff to pause when they see any of these signs, and to verify through a separate channel before taking any action, can break the attack chain entirely. Our guide on how to spot a phishing email covers many of the broader principles that apply equally to Teams-based attacks.
What London Businesses Should Do Right Now
Review your Microsoft Teams external access settings
By default, Microsoft Teams allows communication with users from external organisations. You should review whether this level of access is necessary for your business and restrict it where it is not. Limiting or blocking external federation removes a significant attack surface. Your cloud backup company or Microsoft 365 support provider can configure this alongside your wider tenant security settings.
Create a verified helpdesk communication process
Your internal IT team should have a clear and publicised process for contacting staff. Employees should know that your helpdesk will never call them unexpectedly and ask for credentials, MFA codes, or remote access. Any such request should be treated as suspicious and reported immediately. Our guide on how to create an anti-phishing policy includes a framework for setting these expectations in writing.
Run simulations that test Teams-specific scenarios
Most phishing simulation programmes still focus on email. Working with an anti phishing company london that can design and run Teams-based simulations, including fake helpdesk calls and messages, gives you measurable data on how your staff would actually respond. Our post on how to run phishing simulations explains how to structure a programme that covers multiple channels.
Protect endpoints before attackers exploit access
If an attacker does succeed in getting screen access or installing a remote tool, the damage they can do depends on how well protected your endpoints are. Our post on endpoint security that pays off explains what good endpoint protection looks like, and our guide to endpoint security for remote teams is particularly relevant if your staff work from multiple locations.
You should also understand the difference between EDR vs antivirus vs XDR so you can make an informed decision about what protection your business actually needs. Our post on why EDR matters more than ever and our longer piece on the crucial role of EDR in modern IT security cover this in depth.
Apply the principle of least privilege
One reason Teams helpdesk scams can be so damaging is that the employee being targeted often has more system access than they need. Reviewing user permissions and limiting access to only what each role requires significantly reduces the impact if an attacker does succeed. This is a core principle of IT service management that many businesses overlook.
Strengthen your password and authentication policies
If an attacker convinces a member of staff to hand over their credentials or approve an MFA prompt, a strong password policy and phishing-resistant MFA limit what they can do next. Our guide to password best practices covers the fundamentals, and our post on anti-phishing controls explains how authentication and access controls work together.
Have a plan for when things go wrong
If an attacker does get in via a Teams scam, how quickly you can contain the damage depends entirely on having a response process ready. Understanding the hidden costs of reactive IT makes the case for proactive security investment clearly. And having a cloud backup company managing your data protection means that even if files are altered or deleted, recovery is straightforward.
The Ransomware Connection
Teams helpdesk scams are frequently the entry point for ransomware attacks. Once an attacker has remote access to a machine, they can move laterally through your network, elevate privileges, and deploy ransomware within hours.
Our small business guide to ransomware explains how these attacks unfold, and our post on how to spot ransomware and protect your business is practical reading for anyone responsible for IT security decisions. Understanding this connection should make the urgency of addressing Teams-based social engineering very clear.
Thinking About Compliance and Certification
Businesses that have experienced a successful social engineering attack, or that are concerned about their exposure, often find that formal security frameworks give them the clearest path forward.
Our post on why your business should become Cyber Essentials accredited explains how the scheme maps to real-world threats including social engineering, and our piece on why IT compliance matters covers the broader picture for London businesses operating in regulated industries.
If your network security is also in need of a review, our posts on tips for securing your small business network and simple tips to secure your corporate firewall are useful starting points. Our network penetration testing service can also identify weaknesses attackers might exploit once they have a foothold.
International Businesses Face Additional Complexity
If your organisation operates across multiple countries, the challenge of maintaining consistent security awareness and technical controls is significantly greater. A staff member in a European office may receive a Teams scam message in a different language, or may not have received the same awareness training as your London team.
A provider offering global it support services can help you standardise security policies, training and monitoring across all your locations, so there are no gaps in your coverage. And for businesses with European offices specifically, working with a team that provides european support services ensures that local data protection requirements and communication standards are factored in.
If your business has recently grown through a merger or acquisition, or has undergone a system change, a platform migration company can also help you close the security gaps that often appear during periods of transition, when staff are most likely to receive and accept unusual requests.
Why Outsourcing to a Specialist Makes Sense
Many London businesses have found that the benefits of outsourcing IT outweigh the cost of trying to manage security awareness, technical controls and monitoring internally. Our post on why businesses should consider an MSP for their IT needs sets out the case clearly, particularly for organisations with limited internal IT resource.
For a broader view of what a modern managed service covers, our security services page and our IT consulting service both explain how Northern Star works alongside your business to build layered, practical defences.
And if you have not yet considered whether your current approach to IT is costing you more than you realise, our post on the importance of secure IT defences against cyber criminals is a good place to start.
Frequently Asked Questions
Can we completely block external users from messaging our staff on Teams?
Yes. Microsoft Teams allows you to restrict or disable external access so that users from outside your organisation cannot initiate conversations with your staff. Whether this is appropriate depends on your business needs, but for organisations that do not regularly collaborate externally via Teams, restricting it removes a significant attack surface.
What should a member of staff do if they receive a suspicious Teams call or message claiming to be from IT?
They should not share their screen, approve any prompts, install any software, or provide any codes. They should end the call or conversation and contact your IT helpdesk directly using a known and verified number or email address. Reporting the incident promptly is important.
How do attackers get hold of a Microsoft Teams account to use in the first place?
Most often through phishing emails that steal credentials, or by purchasing stolen credentials from dark web marketplaces. Once they have access to one account, they can use it to approach other users, including those at other organisations, with a credible Teams identity.
Is this kind of attack covered by Cyber Essentials?
Cyber Essentials covers technical controls such as access control, MFA and secure configuration, but it does not cover staff awareness training directly. However, implementing the technical controls it requires significantly limits what an attacker can do even if a member of staff is deceived. Cyber Essentials Plus includes vulnerability testing that can reveal gaps in your environment.
How do we know if someone in our business has already fallen for one of these attacks?
Signs include unexpected account changes, new MFA devices registered, unusual login activity from unfamiliar locations, altered inbox rules, or unexplained file access. If you have monitoring and audit logging in place, these indicators can be caught quickly. If you do not, many incidents go undetected for weeks.
Protect Your Business From Teams Helpdesk Scams
Social engineering through Microsoft Teams is one of the fastest-growing attack techniques targeting London businesses. The good news is that with the right awareness training, technical controls, and monitoring, it is possible to stop the majority of these attempts before they cause damage.
Northern Star provides security services that cover Teams configuration, phishing simulations, endpoint protection, and ongoing monitoring, all tailored to the way your business actually works.
Get in touch with our team today or call us on 0800 319 6032 for a no-obligation conversation. You can also visit our Why Us page to learn more about how we support London businesses with their security needs.
