ABConnect
Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice

“Hello, This Is IT”: Attacking Professional Service Firms Through Microsoft Teams

Release Date: April 2026
pdf download Implications for D&O Litigation From Climate-Related Risk

Accounting, consulting, and law firms share workpapers, deal files, HR records, and privileged communications with clients, regulators, and counterparties through Microsoft Teams. Firms need to be aware of the potential for a single malicious call or chat opening the door to months of undetected data theft and extortion.

Key Takeaways

  • Professional service firms share important information through Microsoft Teams.

  • Threat actors have developed methods to attack firms through Teams.

  • Firms should treat Teams as a high risk, high value system and implement a hardened baseline across identity, collaboration, and network layers.

A Real Incident: From Email Bombing to Extortion


In June, a professional services firm experienced a coordinated attack:

  1. Email bombing as a distraction

    Numerous employees were flooded with junk emails. The firm was using an advanced email security tool and endpoint detection and response (EDR) and neither flagged anything as clearly malicious.

  2. Fake “IT Help Desk” via external Teams call

    Soon after, affected staff received external Microsoft Teams calls from people claiming to be the firm’s IT Help Desk, referencing the email issue. The head of HR answered and, trusting the caller, allowed a remote-control session so “IT” could fix the problem.

  3. Low and slow data theft

    The threat actor installed tools on the HR leader’s system to eavesdrop and discover resources, including the file server. Over the next two months they exfiltrated data in small, carefully timed increments, avoiding Data Loss Prevention (DLP) thresholds and EDR alerts.

  4. Delayed detection and extortion

    The FBI contacted the firm in June about possible issues, but with no clear internal alerts, the firm found nothing conclusive. Only after moving to a different EDR tool and a Managed Security Service Provider (MSSP) in early August did new monitoring reveal renewed email bombing and an email containing an extortion demand tied to the stolen HR data. With highly sensitive employee information at risk of publication on a data leak site, the firm ultimately paid a significant ransom.


This entire chain of events began with a “routine” Teams call.


How Attackers Are Using Teams


  • Impersonating IT or “Security” to bypass MFA

    Attackers pose as “IT” or “Microsoft support” in Teams, claiming urgent security issues. They pressure users to approve unexpected multi-factor authentication (MFA) prompts or enter codes into authenticator apps, granting full account access.

  • Fake help desk and remote-control scams

    Ransomware operators use Teams messages or calls to start remote sessions, install “support” tools, then move laterally into document, HR, and matter systems.

  • Malicious “client documents” in Teams

    Seemingly normal files (e.g., “Updated trial balance – FINAL.xlsx”) are used to deliver loaders and backdoors.

  • Abusing external and guest access

    Broad guest/external access lets attackers masquerade as clients or vendors, silently joining Teams, observing discussions, and downloading documents.


A Practical Teams Security Baseline


To prevent a similar incident, firms should treat Teams as a high risk, high value system and implement a hardened baseline across identity, collaboration, and network layers.

  • Governance and Access

    • Clear ownership for Teams security (CISO/IT Security).
    • MFA for all users; phishing resistant methods (e.g., security keys) for partners, leaders, and admins.
    • Conditional Access (e.g., stronger requirements for sensitive teams; block risky sign ins).
    • Admin/privileged roles tightly limited, monitored, and timebound.

  • External Collaboration and Guests

    • Restrict external access to approved domains.
    • Allow guests only with a defined business need and internal sponsor; review and remove regularly.
    • Block or tightly control direct Teams calls from external parties, especially to help desk or high value users – this would likely have stopped the fake IT call in the case above.

  • Configuration, Apps, and Data Protection

    • Standardized team templates with predefined channels, permissions, and approved apps.
    • Only allow third party apps from an approved, security reviewed list.
    • Apply sensitivity labels and DLP policies to Teams content, especially HR, finance, and privileged matters while recognizing that “low and slow” exfiltration requires complementary controls.

  • Network and Protocol Hardening

    Disable legacy protocols and weak settings that attackers use for local discovery and lateral movement:

    • LLMNR (Link-Local Multicast Name Resolution)
    • NBTNS (NetBIOS Name Service)
    • mDNS (Multicast Domain Name System)
    • RC4 cipher usage
    • “Allow Reversible Password Encryption”

    A standard hardened secure configuration would typically disable these by default, removing key tools the attacker used in the incident.

  • Monitoring, Response, and User Awareness

    • Integrate Teams and identity logs into SIEM (Security Information and Event Management) and XDR (Extended Detection and Response); monitor external calls and remote sessions.

    • Alert on:
      • External users posing as “IT/Support”
      • Unusual external sharing or access to HR/finance repositories
      • New high privilege apps or admin actions

    • Maintain incident response playbooks for Teams based attacks, including impacts on confidentiality, privilege, and HR data.

    • Train users to:
      • Never share MFA codes or approve prompts they didn’t initiate.
      • Never start remote control sessions based solely on a Teams message/call.
      • Always verify unexpected IT requests via known help desk numbers or ticketing systems.

    A standard hardened secure configuration would typically disable these by default, removing key tools the attacker used in the incident.


What This Means for Your Firm


Teams is central to how professional services firms deliver work and maintain client trust.

The incident shows that:

  • A believable Teams call can bypass multiple technical controls.
  • A single high value user can be a gateway to devastating exposure.
  • Low volume exfiltration can evade traditional DLP and endpoint tools for months.

By hardening Teams, tightening external interaction, disabling legacy protocols, strengthening monitoring, and training users to distrust unsolicited “IT” outreach, firms can dramatically reduce the chance that one “Hello, this is IT” Teams call becomes the first step in a major breach or ransomware event.




Contact


The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this insight, please contact Allan Vogel or Philip Kibler.

Allan-Vogel
Allan Vogel
Managing Director, CyQu Advisory Practice Leader





Philip-Kibler Philip Kibler
Senior Vice President, CyQu Advisory
Montreal






About Aon

Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.

©2026 Aon plc. All rights reserved.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.




Do Not Sell or Share My Personal Information | Cookie Preferences |Careers | Investor Relations | Legal | Privacy | Cookie Notice | © 2026 Aon plc