Let’s talk about something that can easily look like normal workplace communication, but is actually a common method used to trick employees into engaging with the wrong person.
A recent incident involved a Microsoft Teams message that appeared to come from a senior executive. The display name looked familiar, so it seemed legitimate at first glance.
However, before the message could be read, Teams displayed a prompt:
“This person is outside your organization. Do you want to accept this chat? YES / NO”
Once the user clicked YES, the chat opened and the full message became visible.
The conversation started with a simple question:
“Are you in the office today?”
After a response was given, another question followed:
“Who is in the Finance office today?”
While these questions appear harmless, they were part of a phishing attempt using impersonation and social engineering techniques.
Why the “YES / NO” Prompt Matters
The first control point in this attack is the chat acceptance prompt.
Clicking YES means:
- You are allowing communication with an external user
- You are opening a conversation that has not been verified
- You are trusting identity based only on appearance
It does NOT confirm the person is who they claim to be.
Attackers rely on users accepting quickly without checking details.
What Makes This Type of Attack Dangerous
This type of phishing is effective because it:
- Uses familiar names to build instant trust
- Operates inside everyday tools like Microsoft Teams
- Starts with normal conversation instead of direct requests
- Collects small pieces of information that seem harmless
Over time, these small details can be combined to support:
- Impersonation of staff or executives
- Targeted phishing messages
- Fraud attempts (e.g., financial requests)
- Mapping of internal structure and key personnel
How to Recognize This Type of Attack
Be cautious when you notice any combination of the following:
- A familiar name is shown, but the account is marked as External or Outside your organization
- There is no previous chat history with the sender
- The message comes unexpectedly from senior staff or leadership
- The conversation begins with casual or unrelated workplace questions
- There are requests about staff presence, departments, or availability
- There is no clear business reason for the conversation
- You are prompted to accept a chat before viewing messages
- The interaction focuses on internal people, roles, or locations
If several of these appear together, treat the message as suspicious.
What You Should Do
Before accepting any chat request:
- Do not click YES automatically
- Verify the sender using a trusted channel (call, internal directory, known email)
- Check carefully for External or Guest indicators
- Avoid sharing information about staff, departments, schedules, or operations
- Report suspicious chat requests immediately to IT or Security
If already accepted:
- Stop engaging if anything feels unusual
- Do not continue the conversation
- Report it immediately
Common Thinking to Avoid
- It looks like my manager, so it must be safe”
- It’s just a simple question
- Nothing sensitive was asked
- I already accepted, so it should be fine
These assumptions are exactly what attackers depend on.
Final Reminder
Phishing is not always about malicious links or attachments.
Sometimes it begins with:
- A familiar name
- A simple question
- A chat request prompt
The real risk is not the platform — it is trusting without verification.
Pause before you respond.
Verify before you accept.
Think before you share.
🔐 CyberDesk – Protecting Our Digital Workplace
