security: Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
Microsoft Security Blog
2026-04-18
Threat actors are using external Microsoft Teams collaboration to impersonate IT helpdesk staff, trick users into granting remote access, and then abuse legitimate tools and admin protocols for lateral movement and data exfiltration. Microsoft Defender can help detect this activity across Teams, endpoint, and identity telemetry.