security: Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
Microsoft Security Blog
2026-04-18
Threat actors are using external Microsoft Teams collaboration to impersonate IT helpdesk staff, gain remote access, and then move laterally with legitimate tools to exfiltrate data while blending in as routine IT support. Microsoft says Defender can help detect this activity across Teams, endpoint, and identity telemetry.