Notifications
Clear all
Topic starter
27/06/2026 1:44 pm
TL;DR: Black Basta used compromised legitimate Teams tenants and external-domain messaging to bypass policy checks, target executives in 75% of cases, and reach remote access within minutes of email bombing, according to Abnormal AI. Policies, playbooks, and automation now need to work together because trust-based collaboration attacks can move faster than manual response.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on Black Basta's Microsoft Teams attack path and collaboration security gaps
Questions worth separating out
Q: How should security teams handle trust assumptions in Microsoft Teams?
A: Treat Teams as a governed identity channel, not a safe default.
Q: Why do collaboration attacks like Teams phishing bypass normal controls?
A: They work because they operate within approved communication parameters.
Q: What breaks when phishing links persist in Teams calendars after email cleanup?
A: Cleanup becomes incomplete.
Practitioner guidance
- Tighten external collaboration boundaries Restrict which external domains can initiate Teams contact, review guest access capabilities, and remove unnecessary contact-search and file-access privileges for outside users.
- Add collaboration-specific containment steps Document playbooks for IT impersonation, malicious files, OAuth abuse, and calendar persistence, including tenant-wide searches for invites and related artifacts.
- Automate the first containment action Block suspicious Teams content in near real time, correlate email and chat activity in a unified view, and trigger escalation before a user can act on the lure.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step Teams containment actions for IT impersonation, malicious files, OAuth abuse, and calendar persistence.
- Practical examples of how external access policies, guest access, and Safe Links fit into a layered response model.
- Detection and remediation workflow detail for teams that need to operationalise real-time blocking across collaboration channels.
- Examples of how a unified threat log changes investigation when email and Teams are both in scope.
👉 Read Abnormal AI's analysis of Microsoft Teams trust abuse and Black Basta tactics →
Microsoft Teams trust abuse: are your controls keeping up?
Explore further
27/06/2026 3:10 pm
Trust-based collaboration security has outgrown simple policy enforcement. Allowlist checks, guest controls, and device compliance rules reduce exposure, but they do not prove that a message is safe or that the sender is acting legitimately. Black Basta's use of compromised tenants shows that permitted parameters can still carry hostile activity. The implication is that collaboration security must be judged by trust validation, not just access eligibility.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when Teams incidents spread before the SOC responds?
A: Accountability sits with the collaboration, identity, and detection owners together. A slow manual response model cannot keep pace with real-time social engineering, so teams need defined ownership for external access policy, automated blocking, and incident triage across email and collaboration tools.
👉 Read our full editorial: Microsoft Teams trust abuse is outpacing policy-based controls
