If your staff uses Microsoft Teams, there’s a new scam you need to know about — and it’s already hit businesses across the country.
How the Scam Works
Ransomware groups are calling employees directly on Microsoft Teams, pretending to be IT support. Here’s what it looks like:
Step 1: The inbox bomb. Your employee suddenly gets hundreds (sometimes thousands) of spam emails in minutes. Their inbox becomes unusable.
Step 2: The rescue call. A Teams call comes in from someone named “Help Desk” or “IT Support.” They say they noticed the spam attack and want to help fix it right now.
Step 3: The trap. The caller asks your employee to share their screen or open a tool called Quick Assist (it’s already installed on every Windows computer). Once they do, the attacker has full access to the machine.
Step 4: The damage. The attacker installs backdoors, steals passwords, and spreads across your network. In many cases, this ends with ransomware — your files encrypted and a payment demand.
Microsoft confirmed this attack is actively being used by organized ransomware groups, including the crew behind Black Basta — one of the most active ransomware operations in the world.
Why This Catches People Off Guard
A phone call from an unknown number? Most people would ignore it. But a Teams call from “IT Support” feels like it’s coming from inside the building. Employees trust it because:
– It shows up right in Teams, alongside real work conversations
– The attacker uses a display name that looks like your actual IT department or MSP
– The spam flood creates real panic — people want help
This is especially effective at businesses that use a managed IT provider like SWFIT, because employees are already used to getting support from someone external.
What We Want You to Tell Your Team
Print this out. Put it in the break room. Say it at your next staff meeting:
1. SWFIT will never cold-call you on Teams and ask to share your screen. If we need remote access, we’ll coordinate through a support ticket — not an unexpected call.
2. If someone calls you on Teams claiming to be IT support and you weren’t expecting it — hang up. Then call us at (813) 999-0086 to verify.
3. A flood of spam emails followed by a “helpful” call is the attack pattern. If both happen within the same hour, it’s almost certainly a scam.
4. Never open Quick Assist because someone on Teams asked you to. Quick Assist gives full remote control of your computer. Only open it when you initiated the support request.
What SWFIT Does to Protect You
For our managed clients, we’ve already put protections in place:
– External Teams access is restricted. People outside your organization can’t just call or message your employees on Teams without authorization.
– Quick Assist is disabled on managed devices where it’s not needed.
– Conditional Access policies block sign-ins from unrecognized devices — so even stolen passwords can’t be used from the attacker’s computer.
– Email filtering catches the spam flood before most of it reaches the inbox.
If you’re not sure whether these protections are active on your systems, we can check in about 15 minutes. No charge — just call or email us.
One More Thing
This attack doesn’t exploit a software bug. There’s no patch for it. It works because it tricks a real person into voluntarily giving access. That means the most important defense is your staff knowing what to look for.
Share this with your team. A two-minute conversation now could save you from a very bad day later.
SWFIT — Southwest Florida IT | (813) 999-0086 | hello@swfit.io
