Cybersecurity firm eSentire has uncovered a highly effective new technique used by hackers to breach corporate networks.
Since early 2026, threat actors have increasingly relied on a two-step attack: flooding a victim’s inbox with thousands of spam messages, and then contacting them on Microsoft Teams to offer fake IT support.
By impersonating the company’s helpdesk, these hackers trick panicked employees into granting remote access to their devices. According to recent threat reports, this strategy saw massive growth between 2024 and 2025 and currently boasts a staggering 72 percent success rate.
The attack begins with an aggressive email bombing campaign. The targeted employee suddenly receives a massive wave of junk emails, rendering their inbox completely unusable.
While the user is confused, distracted, and unable to do their normal work, the attacker reaches out directly through a Microsoft Teams chat.
The hacker claims to be from the internal IT department or a trusted technical support team. They tell the victim they have noticed the email issue and offer to fix it immediately.
Attack Methods and Patterns
Once hackers gain remote entry, their behavior follows a specific pattern of data theft. In recent network intrusions, attackers bypassed security software by downloading portable versions of the file transfer tool WinSCP directly from its official website.
They then used this legitimate tool to remove stolen files from the network quietly.
In other observed cases, hackers used their Quick Assist access to drop a ZIP archive named “Email-Deployment-Process-System.zip” onto the computer. This file contained a hidden Java program that launched further attacks to steal data.
These highly coordinated attacks are not random or opportunistic. Hackers are using specific bulletproof hosting providers, such as NKtelecom INC, WorkTitans B.V., Global Connectivity Solutions LLP, and GWY IT PTY LTD, to launch their campaigns.
To make their Microsoft Teams accounts look real, they create realistic English personas like “michaelturner@” or “danielfoster@”.
They pair these normal names with official-sounding domain names, such as freshly created “.onmicrosoft.com” accounts labeled “Windows Security Help Desk” or disposable “.top” domains.
Defending Against the Threat
According to eSentire research, security teams must implement strict technical controls to stop this threat.
Managed Detection and Response (MDR) services are actively blocking malicious IP addresses, monitoring endpoint logs for ransomware deployment, and tracking the unexpected use of WinSCP.
However, network administrators also need to close the communication gaps that enable these attacks.
To protect your organization from these attacks, implement the following steps:
- Restrict Microsoft Teams messages and calls from external organizations unless they are strictly required for business operations.
- Configure external collaboration policies to show clear warning notifications when employees interact with outside users.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
