Hackers Are Exploiting Teams for MaaS Attacks

Microsoft Teams keeps small businesses connected, but attackers are taking advantage of that trust. Across many organizations, criminals now pose as IT support in Teams chats or calls and trick employees into installing malware-as-a-service (MaaS). If your company in the Twin Cities or Western Wisconsin relies on Teams to collaborate, this is a threat you can’t ignore.

How the scam works

Step-by-step playbook criminals are using

• Outsider poses as internal IT: The attacker initiates an external Teams chat or call while using a name and profile image that looks like your help desk.
• Push for remote access: They ask the employee to open Microsoft Quick Assist (a legitimate Windows tool) so they can “fix” an issue.
• Convincing the user to run a script: The script is framed as a routine update, but it quietly installs malware. In recent campaigns, payloads have included a renamed updater, a tampered XML configuration file, and a malicious DLL loaded to bypass security checks. Some operations have leveraged loaders associated with MaaS, such as Matanbuchus.
• Establishing persistence: Once installed, the malware can steal data, create backdoors, or pave the way for ransomware.

Why it slips past traditional defenses

Most security awareness focuses on email phishing. These attacks often bypass email filters entirely because the entry point is a trusted collaboration app. Teams feels internal, the caller sounds helpful, and Quick Assist is built into Windows—so the request seems reasonable. It’s social engineering aimed at people, not a technical flaw in Microsoft 365.

What it means for small businesses

For organizations with 5–50 employees, a single compromised PC can lead to widespread business disruption. Stolen credentials, encrypted file shares, and days of downtime can cost far more than proactive protection. That’s why layered cybersecurity for small business is essential—especially when your workforce depends on Teams and Microsoft 365.

Practical steps your team can take today

• Verify identities: If anyone claims to be IT support via Teams, hang up and call your known help desk number or open a ticket through your normal process.
• Be cautious with Quick Assist: Never grant remote control to someone you don’t know. If remote support is required, use your company’s approved tool.
• Limit external chats: Ask IT to restrict or monitor external messaging in Teams and require approval for new external domains.
• Report suspicious messages: Screenshot and notify your IT support immediately. Early reporting limits damage.
• Keep devices updated: Regular patching reduces the chance that malware can escalate privileges.
• Use strong MFA everywhere: Multi-factor authentication makes stolen passwords less useful to attackers.

Microsoft 365 settings to harden

With the right Microsoft 365 support and configuration, you can block many of these attempts before they start. If you’re on Microsoft 365 Business Premium, ask your provider to enable:

• Teams external access policies: Restrict who can message your users from outside your tenant. Consider an allow-list for trusted partners.
• Safe Links and Safe Attachments: In Microsoft Defender for Office 365, protect URLs and files shared in Teams and OneDrive/SharePoint.
• Conditional Access and sign-in risk policies: Enforce MFA, block risky sign-ins, and require compliant devices for sensitive apps.
• Endpoint protection with EDR: Use Defender for Business (included with Business Premium) for next‑gen AV, behavior-based detection, and attack surface reduction rules.
• Intune device management: Enforce least privilege, block unknown apps, and standardize configurations across Windows, macOS, and mobile.
• Local admin lock-down: Remove everyday admin rights, use Windows LAPS for secure local admin management, and approve elevation only when needed.
• Quick Assist governance: Disable or limit Quick Assist if you use an approved remote support tool (e.g., Remote Help with Intune). Train staff to never accept unsolicited sessions.
• Audit and alerting: Turn on unified audit logs and create alerts for suspicious activities, such as mass consent to apps or unusual sign-in patterns.

Build a human firewall

Technology alone isn’t enough. Ongoing security awareness training and realistic phishing simulations teach employees to slow down, verify, and report. Short, frequent refreshers outperform once-a-year courses, especially when they include Teams-based lures that mirror what attackers actually use.

How Geekland IT protects your business

Geekland IT delivers managed IT services and small business IT support designed for organizations in the Twin Cities metro and Western Wisconsin—within an easy drive of our Lakeville, MN office. We combine proactive cybersecurity for small business with Microsoft 365 support so your team can work confidently in Teams without opening the door to attackers.

• Microsoft 365 hardening: We configure Teams policies, Conditional Access, Defender for Office 365, Intune, and device controls.
• Endpoint security and monitoring: EDR, patch management, and continuous monitoring to detect and respond quickly.
• User training and simulations: Bite-sized training and targeted phishing tests (including Teams scenarios) that improve real-world behavior.
• Incident response readiness: Playbooks and rapid containment to minimize downtime and data loss.
• Friendly, local IT support: Clear communication, predictable costs, and on-site help when you need it.

Bottom line

Attackers are abusing the tools your team trusts most. With layered defenses, smart Microsoft 365 configurations, and a trained workforce, you can stop Teams-based MaaS attacks before they start. If you want a practical roadmap tailored to your business, we’re here to help.

Ready to lock down Teams and strengthen your defenses? Contact Geekland IT for a no-pressure consultation and learn how our managed IT services can secure your Microsoft 365 environment.