
Attackers are calling employees via Teams posing as IT support or banks. Vishing grew 442 percent last year. Microsoft's new brand impersonation protection detects suspicious calls in real time. What do your employees see, what do you need to configure, and what additional measures help?
Telephone fraud has a new face. Where attackers once called from anonymous call centres, they now use Microsoft Teams to approach employees as apparent IT colleagues, bank employees, or government agencies. Teams has become the new business telephone network for hundreds of millions of users, making it an equally attractive attack channel.
The numbers are alarming. Voice phishing, also known as vishing, grew 442 percent last year. Seventy percent of organisations have now been targeted by a vishing attack. Microsoft responded this spring with a new security function built directly into Teams Calling: brand impersonation protection. What does it entail, what do your employees see, and which additional steps are advisable?
The best-documented attack method shows how sophisticated the approach has become. Attackers register their own Microsoft 365 tenant so their Teams account appears legitimate, then call employees of a target organisation via a Teams call. They introduce themselves as IT support or helpdesk and claim a security problem has been discovered on the employee's computer. Once trust is established, they persuade the victim to activate Quick Assist or a similar remote access application.
Once access is granted, the attackers install malware, steal credentials, and in the most serious cases gain full access to the corporate network. What makes this attack so effective is that no software vulnerability is exploited. The attack works purely through trust: trust in a familiar application that appears legitimate.
Microsoft rolled out brand impersonation protection for Teams Calling in May 2026. The feature analyses inbound calls from external callers you have never previously spoken to, so-called first-contact callers, and evaluates in real time whether the call shows signs of brand impersonation. This covers callers who imitate the identity of a known organisation, IT service provider, bank, or government agency in their display name, behaviour, or context.
The feature is enabled by default for all tenants using Teams Calling. No additional configuration is required and existing calling policies remain unchanged. The analysis takes place entirely in the background, before the employee even answers the call.
If Teams assesses an incoming call as high-risk, a warning appears on the recipient's screen before the call is answered. The warning advises refusing or reporting the call. If the employee does answer and risk signals persist during the conversation, the warning can remain visible in-call.
After the call, or after a refused call, the employee can report it as suspicious via the call history view in the Teams app. The employee selects a reason, and the data is used to improve detection. This reporting mechanism also gives organisations insight into how frequently their employees are being targeted.
The feature is active by default, but three additional practical steps are advisable. First, inform your helpdesk. Employees who see a warning will often contact IT to verify whether the notification is legitimate. Make sure helpdesk colleagues know exactly what the warning means and how to advise employees.
Second, review your external access settings in the Teams Admin Center. By default, open federation is enabled for most tenants, which means anyone with a Microsoft 365 account can call you directly. Switching to an allowlist of trusted external domains significantly reduces your attack surface. Third, establish in your internal policy that IT will never call unprompted with a request to grant remote access. This clear principle removes the main persuasion strategy from attackers.
Technical measures protect against known attack patterns, but social behaviour requires training. Employees need to understand that a Teams call from an external caller claiming to be IT support is always suspicious when they have not submitted a request themselves. The core rule is simple: IT does not call unsolicited to ask you to activate Quick Assist or remote desktop. If you do receive such a call, hang up, call the helpdesk back on the internal number, and report the call in Teams.
Awareness training does not have to be complicated. A short simulation or a targeted instruction session is sufficient in most cases to put employees on alert. Document that the training has taken place, particularly for organisations subject to NIS2 or other compliance frameworks.
Brand impersonation protection focuses on behavioural and numerical signals in incoming calls. The next threat, however, is already emerging. With AI voice-cloning tools that generate a convincing voice replica from just three seconds of audio, attackers can impersonate a familiar colleague or executive. In the first quarter of 2025, the use of deepfake techniques in vishing attacks increased by more than 1,600 percent compared to the previous quarter.
Microsoft is working on detection methods for AI-generated voices in Teams, but these are not yet available as a production feature. The practical recommendation is to broaden awareness training now: prepare employees to recognise unexpected calls with urgent requests, regardless of how familiar the voice sounds. Always verify via a separate channel when someone calls asking to transfer money, share sensitive data, or grant access.
Vishing via Teams is not a hypothetical threat. The attacks are extensively documented, the methods are becoming more sophisticated, and the statistics are clear. Microsoft's new brand impersonation protection is a valuable first line of defence, but does not protect against everything. A combination of technical settings, clear internal rules, and targeted awareness makes your organisation considerably more resilient. Want to have your Teams environment reviewed for external access settings and calling policies, or organise an awareness session on vishing for your team? Zarioh helps IT teams and management with the practical security of Microsoft 365. Contact us for a no-obligation conversation.