Phishing in Slack and Teams — When the Lure Comes From Inside the Chat

A developer at a 400-person Dutch fintech opens Slack on Monday morning to a DM from someone whose profile says 'Robert van der Berg — Platform Engineering' with their actual office in the Amsterdam timezone. The message says 'hey, IT asked me to send around the new MFA portal — can you log in once today so we can confirm migration is working?' followed by a link to mfa-portal.fintech-amsterdam.com — a domain that looks plausibly internal. The developer has been with the company three months, doesn't yet know everyone in Platform Engineering, and asks 'is this safe?'. The reply comes within 18 seconds: 'yes, IT will send the same notice in email later but they wanted us to test the link first since you're in the dev rotation'. The developer clicks, sees a Microsoft-styled login, signs in, completes MFA. Within four minutes the attacker — who had earlier compromised a different employee's account via smishing and was using it to send the Slack DMs as 'Robert' — has the developer's session cookie via the AiTM kit behind the fake portal, has registered a new authenticator app on the developer's account, has dropped an OAuth app, and is pivoting into the source code repositories. The fake portal looked correct. The Slack message came from a 'colleague'. There was no email to suspect.

Chat-platform phishing leverages a structural trust gap. Users built years of suspicion habits around email — checking domains, hovering over links, looking for grammar errors. Chat platforms feel internal-by-default, so the same suspicion does not kick in. The 2026 attack patterns split into three groups. The first is compromised-internal-account broadcasts: the attacker has access to one employee's account (via smish, AiTM, OAuth grant, etc.) and uses it to phish coworkers laterally. The DM comes from a trusted person, with their real profile photo and prior message history visible. The second is external guest-channel infiltration: many Slack and Teams deployments allow external guests in shared channels for collaboration. The attacker joins as a guest (sometimes via a previously compromised partner organisation), participates plausibly for days or weeks, then drops a payload or starts targeted DMs. The third is impersonation in cross-tenant Teams chat: Microsoft Teams allows external chat with anyone in any tenant unless restricted; attackers create new tenants with display names matching a real colleague or executive and DM staff who do not realise the message is from an external tenant. MITRE ATT&CK techniques: T1566 (Phishing), T1078.004 (Valid Accounts: Cloud Accounts), T1199 (Trusted Relationship), T1098.001 (Account Manipulation). Defence is technical (restrict external-tenant chat in Teams, restrict Slack external connections, alert on new OAuth apps and inbox rules) and cultural (treat chat messages requesting credential or sensitive actions with the same suspicion as email).

• DMs requesting login actions, MFA approvals, credential resets, or financial decisions — regardless of how internal they look
• External-marked badge in Teams DMs (Microsoft now adds an 'EXTERNAL' label on cross-tenant chats — read it before responding)
• External-guest status in Slack (the 'GUEST' or 'EXTERNAL' badge near the user's name)
• Sudden behavioural shifts from a known colleague — different tone, urgent requests, off-process asks, refusal to switch to email or in-person verification
• Links to internal-looking domains you do not recognise as part of your normal IdP or tooling — verify before clicking
• DMs from accounts with familiar names but missing prior chat history with you (real coworker DMs usually have a thread; a fresh DM with no history is worth a second thought)
• App-install or webhook-add prompts from a chat colleague — these grant API-level access to channel content
• Cross-tenant message-extension or bot-app prompts in Teams that mimic legitimate internal tools

1. Treat every DM requesting a login or sensitive action with the same suspicion you would apply to an email — chat is not saferHover over links, check domains, ask 'why is IT contacting me in Slack instead of an official channel?' before complying.
2. Verify out-of-band before taking action on any unusual chat requestWalk to the person's desk, video-call them on a separate channel, or check via your IdP portal whether the claimed task is genuine.
3. Watch for the EXTERNAL or GUEST badge — and never authenticate to a 'colleague' marked externalMicrosoft and Slack both mark cross-tenant or guest accounts visibly. Read the badge before reading the message.
4. Report unfamiliar DMs requesting credentials to securityInternal-source phishing means an account is likely compromised. Security needs the signal to isolate and investigate.
5. Do not install chat apps, message-extensions or webhooks without IT reviewOnce installed, chat apps can read channel content, post as users, and pivot to other tools. Treat them like SaaS apps.
6. If a Slack/Teams admin role is offered to you that you did not request, declineAttackers escalate by tricking targets into accepting workspace-admin privileges. Admin role = control over the platform.

• Microsoft — Teams external collaboration security guidance[primary]
• Slack — Guest accounts and Connect security model[primary]
• MITRE ATT&CK — T1199 Trusted Relationship[primary]
• NCSC-NL — Samenwerkingsplatformen en chat-beveiliging[primary]
• Krebs on Security — Uber 2022 / Slack-pivot coverage[secondary]
• Mandiant — UNC3944 / Scattered Spider chat-pivot tradecraft[secondary]

• Microsoft 365 Phishing in 2026 — AiTM, Token Theft, and the End of TOTP

  10 min read

• OAuth Consent Phishing — How Attackers Steal Mailbox Access Without Stealing Passwords

  9 min read