A growing wave of vishing (voice phishing) campaigns in which threat actors abuse Microsoft Teams’ external collaboration features to impersonate IT helpdesk personnel and investigators is now turning to the Microsoft 365 Unified Audit Log (UAL) as a critical forensic data source to reconstruct attack timelines.

The attack chain begins when a threat actor operating from an external or cross-tenant Teams account initiates an unsolicited call or message to a targeted employee, presenting as internal IT support.

Using social engineering, the attacker convinces the victim to execute attacker-provided commands, approve remote access sessions, or install Remote Monitoring and Management (RMM) tooling such as Quick Assist...