Suddenly your inbox starts filling up with hundreds of newsletters you never signed up for.
Minutes later, a Teams message appears from “IT Support” offering to help.
A social engineering technique observed in several incidents combines two simple elements: large volumes of spam and fake IT support.
The attack typically begins when the victim receives a sudden flood of spam emails.
This is often the result of so-called subscription bombing, where the victim’s email address is registered with hundreds of online services and newsletters.
The result is an inbox that quickly fills with confirmation emails, newsletters, and other automated messages.
Shortly after the spam flood begins, the attacker contacts the victim through a collaboration platform such as Microsoft Teams, pretending to be from the organization’s IT department.
The attacker claims they have noticed the unusual email activity and want to help resolve the issue.
To “fix the problem,” the attacker asks the user to start a support session using a remote administration tool. The tool used is often Quick Assist, which is built into Windows, but tools such as AnyDesk, TeamViewer, or similar may also be used. Because the user is already experiencing a real problem — a spam flood in their inbox — the request may appear legitimate.
Once the attacker gains access to the system, several actions may follow depending on the objective of the attack.
Examples include:
- deployment of ransomware
- theft of files or sensitive information
- credential harvesting
- lateral movement within the network
- establishing persistent access to the system
The technique works because it exploits human behavior rather than technical vulnerabilities.
By first creating confusion and stress through the spam flood, the likelihood increases that the user will accept help from someone claiming to be IT support.
How to Reduce the Risk
In many environments, messages from external users in Microsoft Teams can be clearly labeled with indicators such as External, Guest, Unverified, or similar warnings.
These indicators help users recognize that the message does not come from an internal colleague or the organization’s IT department.
If someone claiming to be internal IT support contacts a user via Teams, these indicators should always be checked.
Organizations should ensure that such labels and warnings are properly configured in Teams so that users can more easily distinguish between internal and external communications.
If this has not already been reviewed or implemented in the environment, it may be advisable to assess the current configuration and procedures.
In many ways, this is a modern version of the classic “fake Microsoft support” phone scam.
The difference is that attackers now create a real problem first — such as a spam flood — before offering to “help” fix it.