Cloaked Ursa and UNC6692 exploit Microsoft Teams federation for social engineering campaigns
Threat actors leverage external Microsoft Teams chat to impersonate IT support and harvest credentials, exploiting permissive federation settings and user trust in collaboration tools.
Attack Brief
TargetMicrosoft Teams users; organizations with federated Teams enabledVectorExternal Teams chat impersonation; social engineering via trusted collaboration platformAttributionCloaked Ursa (APT29, Cozy Bear, Midnight Blizzard); UNC6692
Technical Details
MITRE ATT&CKT1566.003T1598.003T1187T1556IoCstyposquatted domains mimicking trusted vendorsMicrosoft 365 tenants named to mimic IT support functionsAffectedMicrosoft Teams with default federation enabled; organizations without external domain allowlist restrictions
Impact
SectorsGeneral enterpriseConfirmed DamageCredential harvesting; unauthorized MFA approval; account compromiseGeographyGlobal
Mitigation
WorkaroundsDisable 'External users with MS Teams accounts not managed by an organization can contact users in my organization' setting; restrict federation to specific allowed domains via allowlist; disable unmanaged account communication if business case permits; implement Conditional Access policies for high-risk actions; require MFA verification through separate channel for sensitive requestsDetectionMonitor Teams chat logs for external domain initiations; alert on unsolicited IT support requests; track federation policy violations; audit Teams message patterns for credential harvesting indicators
Context
Previous CampaignsCloaked Ursa leveraged compromised accounts to send Teams messages with malicious links redirecting to credential harvesting pages mimicking Microsoft login portals (late 2024)Similar AttacksUNC6692 impersonated IT helpdesk staff via Teams in December 2025; phishing alerts from collaboration tools increased from 30% to 42% of all phishing alerts in first four months of 2026