Attackers are exploiting Microsoft Teams' external communication features to pose as IT support, convincing employees to install a remote access trojan called EtherRAT, according to recent security alerts. The scam has prompted some organizations to consider blocking all external Teams communication — but experts say a more measured approach can stop the threat without disrupting legitimate collaboration. Rather than severing all external ties, the focus should be on restricting high-risk channels, tightening verification, and empowering users to report suspicious activity.
How the Fake IT Support Scam Works
Since at least early 2025, malicious actors have been cold-calling and messaging Teams users from external accounts, often using display names like “IT Support” or spoofed tenant names to appear trustworthy. They typically claim there is an urgent security issue — a compromised account, a pending malware scan, or a required update — and direct the target to download a remote support tool. That tool is frequently a customized build of EtherRAT, an open-source remote access toolkit first documented in 2023, which hands the attacker full control of the device.
The attack does not rely on a software vulnerability. It’s purely social engineering, enabled by default Teams settings that allow anyone with a Microsoft account to initiate chats and calls with internal users. Because the initial contact happens inside a trusted application, the victim’s guard is down. Once the attacker has remote control, they can steal credentials, move laterally across the network, and deploy ransomware — all while appearing to be a legitimate IT interaction.
Who’s at Risk and What’s at Stake
For IT administrators, the immediate risk is that a single compromised user could lead to a full-scale breach. EtherRAT allows attackers to record keystrokes, exfiltrate files, and even use the victim’s webcam and microphone, making it a potent espionage and extortion tool. Financial departments, HR teams, and executive assistants are prime targets because they often handle sensitive data and may have higher privileges.
The knee-jerk reaction — blocking all external Teams communication — is understandable but comes with its own business costs. Many organizations depend on Teams for client meetings, vendor support, and cross-company collaboration. A blanket block disrupts those workflows, forces users to find shadow-IT alternatives, and breeds frustration. The challenge is to filter out the malicious noise while keeping legitimate channels open.
End users need to understand that no legitimate IT department will ever call or message them out of the blue demanding the installation of remote software. Even a caller who knows internal jargon or seems to have a sense of urgency should be verified through a separate, official communication channel — such as an internal ticketing system or a phone call to the known help desk number.
A Growing Trend of Platform-Based Social Engineering
The abuse of collaboration platforms for social engineering is not new. During the pandemic, similar attacks plagued Slack and Zoom, with fraudsters impersonating company executives to request wire transfers or gift cards. As email filtering has improved, attackers have shifted to real-time communication tools where inbox rules don’t apply. Microsoft Teams, with its massive enterprise footprint, is an especially juicy target.
EtherRAT emerged in 2023 on cybercriminal forums as a remote access tool written in C#. Its modular design and ability to evade signature-based detection made it popular for a range of campaigns, from business email compromise to ransomware delivery. Because it can be compiled fresh for each attack, it often slips past antivirus engines. In this latest wave, the attackers combine EtherRAT’s stealth with the psychological advantage of a Teams call — a combination that has proven alarmingly effective.
Step-by-Step: Locking Down Teams Without Breaking Business
The core recommendation from security analysts is to restrict high-risk external chat and calling while keeping approved domains whitelisted. Here’s how to implement the necessary controls in the Teams admin center.
Restrict External Access to Trusted Domains Only
- Sign in to the Teams admin center at admin.teams.microsoft.com.
- Navigate to Users > External access.
- Under Choose which external domains your users have access to, switch from “Allow all external domains” to Allow only specific external domains.
- Add the domains of your trusted partners, vendors, and clients. All other domains will be blocked.
- Under Teams and Skype for Business users in external organizations, disable External users with unmanaged domain accounts (i.e., Gmail, Outlook.com) entirely unless there is a compelling business reason to keep them.
- For External users with managed domain accounts, select Allow only specific external domains and enter the same whitelisted domains.
- Under External access for Teams with chat, ensure that the toggle is set to On only for the domains you need. Repeat for External access for Teams with audio/video.
Disable Unnecessary Calling Features
- In the same External access page, scroll to the External meetings and chat section.
- Consider turning off External users can send meeting invites if your organization does not routinely host external guests.
- Restrict External users can participate in channel meetings to only those domains you trust.
Enable User Reporting and Alerts
- Educate users on how to report suspicious external messages: right-click the message, select Report a concern, and choose the appropriate category (e.g., Spam, Phishing). This data feeds into the Microsoft 365 security portal and helps tune detections.
- In the Microsoft 365 Defender portal, create alert policies for unusual external user activities. For example, trigger an alert when an external user sends a file or initiates a call for the first time in your tenant.
Supplement Technical Controls with User Training
- Run a brief, mandatory training session covering the “EtherRAT IT support” scenario. Show real-world examples of the bait messages.
- Emphasize the “verify, don’t trust” mantra: any unsolicited IT contact should be verified through a separate channel (phone, ticketing system, or in-person).
- Post a visible banner inside Teams (using organization-wide messaging) reminding users never to grant remote control to unverified contacts.
What Users Need to Know Right Now
If you receive an unexpected call or chat from someone claiming to be IT support, the safest reaction is to hang up or ignore it and then verify the claim independently. Do not call back the same number or accept file transfers. Legitimate IT departments will never pressure you into an immediate action. If you’re unsure, forward a screenshot of the message to your actual help desk and ask for confirmation.
For home and personal Teams users, the risk is lower but not zero. Attackers can still send malicious links through Teams chat, so treat any unprompted message from an unknown contact as suspicious. Microsoft’s built-in Safe Links protection helps, but it’s not foolproof against zero-hour malware.
The Road Ahead
As collaboration platforms become the digital headquarters for work, they will remain prime targets for social engineering. Microsoft is likely to introduce more aggressive default restrictions on external access in future updates, but for now, the burden is on administrators to implement the right controls. The security community expects the EtherRAT template to be copied widely, with variants using other remote access tools like AnyDesk or TeamViewer popping up in the coming months.
Organizations that treat external Teams interactions with the same suspicion they apply to external emails — and that act now to restrict and verify — will be best positioned to dodge the next wave of this campaign. The message is simple: don’t nuke all external communication, but do put a smart, risk-based fence around it.