Microsoft Teams

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by Fox Tempest that abused the Azure Artifact Signing service to generate fraudulent code-signing certificates, enabling malware to bypass security controls.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

The MuddyWater group is disguising its cyber-espionage operations as Chaos ransomware attacks, using Microsoft Teams social engineering for initial access and establishing persistence, likely to complicate attribution and mask their true objectives.

UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.

The April 2026 Red Canary Intelligence Insights highlights the axios npm compromise, TeamPCP's LiteLLM compromise via PyPI, and a surge in Microsoft Teams phishing, leading to RAT deployment, credential harvesting, ransomware deployment, or data theft.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.