KongTuke, a known initial access broker (IAB), has added Microsoft Teams to its social engineering arsenal, using the enterprise collaboration platform to breach corporate networks with alarming speed — in some observed cases, persistent access was established in under five minutes.
Who Is KongTuke?
KongTuke is a threat actor classified as an initial access broker — a specialized criminal group that compromises target organizations and then sells that access to downstream ransomware operators, espionage groups, or data theft crews. IABs like KongTuke typically operate at volume, targeting many organizations simultaneously and monetizing successful breaches through underground marketplaces.
KongTuke has previously relied on phishing emails, malvertising, and trojanized software downloads to gain initial footholds. The shift to Microsoft Teams represents a tactical evolution toward higher-trust, lower-detection attack surfaces.
The Teams Attack Chain
Rather than sending traditional phishing emails that are increasingly flagged by email security gateways, KongTuke operators initiate contact directly through Microsoft Teams chats. The attack typically follows this pattern:
- Account Compromise or External Access: Attackers gain access to a legitimate Teams account — either through stolen credentials, a compromised partner tenant, or Microsoft's guest access feature that allows external accounts to message users in certain configurations
- Impersonation: The attacker poses as IT support, a vendor, a known colleague, or an internal helpdesk technician
- Social Engineering Payload: The victim is asked to run a command, install a tool, or approve a remote access session — framed as routine IT maintenance
- Persistent Access Established: Once the victim complies, a remote access trojan (RAT), C2 implant, or legitimate remote access tool is installed, giving KongTuke persistent network presence
- Access Sale: The foothold is packaged and sold to ransomware affiliates or espionage operators within days
The entire process from first message to persistent access has been observed completing in as little as five minutes in targeted attacks against organizations with low Teams security awareness.
Why Teams Is an Effective Attack Surface
Microsoft Teams is trusted by over 320 million daily active users. Unlike email, most employees do not apply the same level of skepticism to Teams messages, particularly when:
- The sender appears to be from an internal IT department
- The request references a known system, ticket number, or recent company event
- The conversation mimics standard helpdesk language and formatting
Additionally, many Teams deployments allow external users (guests from other Microsoft 365 tenants) to initiate chats with internal employees — a feature designed for collaboration but exploitable for social engineering.
| Attack Vector Comparison | Email Phishing | Teams Social Engineering |
|---|---|---|
| Employee skepticism | High | Low |
| Security gateway filtering | Common | Rare |
| Impersonation plausibility | Moderate | High |
| Time to compromise | Minutes–hours | Under 5 minutes |
| Detection rate | Moderate | Low |
What Security Teams Should Do
Organizations using Microsoft Teams should take immediate steps to reduce exposure to this attack vector:
Restrict External Access
Review and tighten Microsoft Teams external access policies:
Microsoft Teams Admin Center:
→ External Access → Allow specific external domains only
→ Guest Access → Disable or restrict if not required
→ Meeting policies → Restrict anonymous joinEnable Enhanced Phishing Awareness for Teams
Traditional security awareness training focuses on email. Extend phishing simulation and training to cover Teams-based social engineering scenarios, including:
- Fake IT helpdesk impersonation
- Requests to run commands or install software via chat
- Urgency-based pressure tactics in Teams messages
Monitor for Suspicious Teams Activity
Configure Microsoft Purview or SIEM integrations to alert on:
- External accounts initiating chats with multiple internal users
- Links to external file shares or downloads sent via Teams
- New guest accounts added to Teams within a short period
- Remote access tool downloads shortly after Teams chat sessions
Verify Remote Access Requests Out-of-Band
Any request received via Teams to install software or grant remote access should be verified through a separate channel (phone call, ticketing system, or in-person confirmation) before action is taken.
Broader Context: IABs and the Ransomware Ecosystem
KongTuke's Teams pivot reflects a broader trend: initial access brokers are continuously refining their techniques to stay ahead of enterprise defenses. As email security matures, attackers migrate to less-monitored channels — Teams, Slack, LinkedIn DMs, and SMS have all been observed in recent IAB campaigns.
The downstream impact of KongTuke's access sales is significant: organizations compromised through this actor have subsequently been hit by ransomware, data extortion, and espionage operations carried out by the buyers of that initial foothold.
Recommendations Summary
| Action | Priority |
|---|---|
| Restrict Teams external/guest access | High |
| Extend security awareness to Teams scenarios | High |
| Monitor for external chat-initiated downloads | High |
| Implement out-of-band verification for IT requests | Medium |
| Review conditional access policies for Teams | Medium |
| Audit guest accounts in Teams tenants | Medium |