Threats

Microsoft Teams Gets External Domain Anomaly Detection to Combat Social Engineering Attacks

Zero Day Wire

1 min read
Microsoft Teams Gets External Domain Anomaly Detection to Combat Social Engineering Attacks

Microsoft is introducing the External Domains Anomalies Report for Teams, a security feature designed to help administrators identify suspicious external communications before they escalate into breaches.

The tool, scheduled for global rollout in February 2026, addresses a critical gap as threat actors increasingly exploit Teams for social engineering campaigns.

How It Works

The feature uses pattern analysis to establish baselines of normal communication behavior and flags deviations that could indicate security concerns. The system monitors three key indicators:

  • Sudden spikes in messaging volume with external parties
  • First-time communications with previously unknown domains
  • Unusual engagement patterns that deviate from established norms

When anomalies are detected, administrators receive actionable insights through a dedicated report, enabling security teams to investigate risky interactions before data exfiltration occurs.

Why It Matters

The feature arrives as ransomware groups have intensified social engineering attacks through Teams. Black Basta has been observed flooding victim inboxes with thousands of emails, then using Teams chats to pose as IT help desk staff and convince users to install remote access tools like AnyDesk.

In late October 2024, the group added targeted users to Teams chats with external users operating from newly created Entra ID tenants designed to appear as legitimate support personnel—ultimately gaining remote access to victim machines.

Availability

The External Domains Anomalies Report will roll out to standard multi-tenant environments on the web platform starting February 2026 under Microsoft 365 Roadmap ID 536572.

Organizations can enable the feature through the Teams admin center:

  1. Navigate to Notifications & alerts → Rules
  2. Select External domain anomalies
  3. Change status to Active
  4. Choose a Teams channel to receive alert notifications

This capability builds on earlier Teams security enhancements, including warnings for malicious URLs and blocking risky file types in chats.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire