Microsoft Teams has become one of the most targeted collaboration platforms for social engineering attacks. Throughout 2024 and 2025, security researchers have documented a dramatic surge in Teams-based impersonation campaigns — ranging from ransomware operators posing as IT helpdesks to nation-state actors forging caller identities during video and audio calls. The attacks are sophisticated, they exploit trust, and they are remarkably effective.
If your organization uses Teams as a communication channel, you need more than built-in warnings. You need visibility into who is actually calling and being called, across every interaction, every day. That’s exactly what QueueMetrics for Teams’ Historical Reports deliver.
The Threat: A New Generation of Teams-Based Impersonation
To understand why QueueMetrics’ reporting blocks matter, you need to understand what’s happening in the wild.
Fake Tenants, Real-Looking Names
The most widespread attack pattern — linked to the Black Basta ransomware operation and the threat group Microsoft tracks as Storm-1811 — works like this: attackers register throwaway Microsoft 365 tenants with names designed to look like internal IT departments. The Entra ID domains they choose use the default .onmicrosoft.com suffix that any new tenant gets, but the names are carefully crafted: securityadminhelper.onmicrosoft.com, supportserviceadmin.onmicrosoft.com, cybersecurityadmin.onmicrosoft.com, and similar variations.
From these tenants, they create user accounts with display names like “Help Desk” or “IT Support,” and reach out to employees via Teams chat or direct call. The goal is always the same: convince the victim to grant remote access (usually through Quick Assist, AnyDesk, or Teams screen sharing), then deploy credential stealers or ransomware.
Pushing the “External” Tag Off-Screen
One of the more devious tricks involves manipulating the Teams UI itself. Microsoft Teams labels external users with an “(External)” tag — but attackers have discovered they can pad their display names with large numbers of whitespace characters or non-ASCII symbols (like ✅ checkmark emojis) to push that warning label beyond the visible area of the Teams window. The victim sees a clean, centered “Help Desk” label. The crucial “(External)” warning? It’s scrolled off the edge of the screen.
Forged Caller Identity on Calls
Check Point Research disclosed a set of vulnerabilities in Teams (one tracked as CVE-2024-38197) showing that the display name in call notifications could be arbitrarily modified through manipulated call initiation requests. An attacker could make a call appear to come from any name they chose — the CEO, the head of IT, a business partner — and the recipient would see that forged name both in the incoming call notification and during the call itself. Microsoft patched this by October 2025, but the window of exposure was significant.
Lookalike Domains
Beyond .onmicrosoft.com tenant names, attackers also register custom domains that closely mimic legitimate ones: swapping characters, adding extra words, or using different top-level domains. A domain like sharepointonline-irs.com or teams.livescalls.com can look plausible enough at a glance — especially in a notification popup that doesn’t give you time to scrutinize the fine print.
The Vishing Pivot
As Microsoft has strengthened its text-based phishing warnings in Teams (brand impersonation alerts, external sender notifications), attackers have pivoted to voice and video calls. An external user can, by default, call an organizational user without even sending a message first. There’s no “Accept” button for a ringing call the way there is for a chat request, and the urgency of a phone call naturally discourages the kind of careful inspection that might catch a phishing message.
Where QueueMetrics Comes In: Visibility You Don’t Get Out of the Box
Microsoft’s built-in protections — the “(External)” label, brand impersonation warnings, domain impersonation detection — are reactive and user-facing. They rely on individual employees making the right split-second decision when a notification pops up. That’s a fragile line of defense.
QueueMetrics for Teams takes a fundamentally different approach. Instead of relying on each user to spot each scam in real time, it gives supervisors, security teams, and operations managers a structured, aggregated, historical view of all external and guest interactions flowing through your Teams environment. The data blocks introduced in version 24.11 — TM01 through TM06 — are purpose-built for this kind of oversight.
TM01 – External Callers: Your First Line of Domain Surveillance
Block TM01 (External Callers) aggregates all successfully completed inbound calls where the caller is either an external user or a guest. Crucially, it groups these calls by source domain and separates external users from guests.
This is exactly the view you need to catch the attack patterns described above. When an attacker registers supportadministrator.onmicrosoft.com and starts calling your employees, each of those calls shows up in TM01 under that domain. You don’t need to rely on a busy employee noticing a suspicious name during a ringing call — the domain appears in your report, and you can spot it during a routine review.
What to look for:
- Domains you don’t recognize. If your organization works with five external partners, you should see roughly five external domains. A sixth one — especially one containing words like “helpdesk,” “support,” “admin,” or “security” — is a red flag that demands investigation.
.onmicrosoft.comdomains that aren’t your partners. The vast majority of attacks observed in the wild use the default.onmicrosoft.comsuffix. Any unfamiliar tenant name ending in.onmicrosoft.comshould be treated with suspicion.- Domains that look almost like yours. Typosquatting and lookalike domains are a staple of these campaigns. A domain that’s one character off from your own, or that adds a plausible-sounding prefix or suffix, is a classic impersonation indicator.
- Sudden spikes in external caller volume. If you normally see a handful of external calls per week and suddenly there are dozens from a new domain, that’s not organic growth — it’s a campaign.
For each domain, TM01 provides the total number of calls, total time, average wait time, and average talk time — broken out separately for guests and external users. Short, high-volume calls from an unknown domain could indicate a vishing spray, while longer calls might suggest an attacker who successfully engaged a victim.
TM02 – External Callees: Watching the Outbound Side
Block TM02 (External Callees) is the mirror image of TM01: it shows all completed calls where the callee — the party being called — is an external or guest user, again grouped by domain.
Why does this matter for scam detection? Because the attack doesn’t always start with an inbound call. In some scenarios, employees are socially engineered into calling back an attacker-controlled number or Teams account. An attacker might send a Teams message saying “Call me back at this number for urgent IT support,” and the employee initiates the outbound call. In QueueMetrics, that interaction shows up in TM02, not TM01.
TM02 also helps you catch a different class of risk: unauthorized data exfiltration through outbound calls to suspicious external domains. If an insider or a compromised account is calling out to an unfamiliar tenant, TM02 will surface it.
TM03 and TM04 – The Full Picture, Including Missed Calls
TM03 (External Callers on All Calls) and TM04 (External Callees on All Calls) extend TM01 and TM02 to include all calls — both answered and unanswered.
This is a critical distinction. Many impersonation campaigns involve a high volume of calls where the attacker tries multiple employees, hoping someone will pick up. If you only look at answered calls (TM01/TM02), you miss the failed attempts. TM03 and TM04 show you the full scope of the campaign.
Consider a scenario where an attacker using itsupporthelp.onmicrosoft.com calls 30 employees over two hours. Only three answer. TM01 shows you three calls — a blip that might not trigger alarm. TM03 shows you 30 attempts from the same domain — an obvious, coordinated attack that demands an immediate response.
Unanswered calls from suspicious domains are, in many ways, more important than answered ones for security purposes. They tell you an attack is underway even before anyone falls for it, giving you a window to warn employees and block the domain before it succeeds.
TM05 and TM06 – Caller and Callee Classification: The Big Picture
TM05 (Teams Caller Classification) and TM06 (Teams Callee Classification) step back from individual domains to give you a high-level breakdown of all call activity by type of participant: phone calls, internal agents/Teams users, guest users, and external users.
This is your baseline. When you know that your normal traffic mix is, say, 80% internal, 15% phone, 4% guest, and 1% external, any deviation becomes immediately visible. If external calls suddenly jump to 8% of your traffic, something has changed — and it may not be benign.
TM05 and TM06 are especially useful for organizations that don’t routinely deal with external Teams users. If your business operates primarily within its own tenant and you see a non-trivial volume of external or guest calls, that alone is worth investigating.
The classification also helps you set policy. If you discover that guest users account for a significant portion of your call traffic but you haven’t been monitoring guest domains, TM05 tells you it’s time to start paying attention to TM01 and TM02 more carefully.
Putting It All Together: A Practical Workflow
Here’s how a security-conscious organization might use these blocks as part of a regular review process:
Daily or weekly review of TM01 and TM03. Scan the domain list for anything unfamiliar. Any new .onmicrosoft.com domain, any domain containing IT/helpdesk/support keywords, or any domain that resembles your own should be investigated. Compare the “all calls” view (TM03) against the “answered only” view (TM01) — a domain with many attempts but few connections is a strong indicator of a spray campaign.
Monthly review of TM05 and TM06. Track your traffic mix over time. Establish a baseline and flag anomalies. A gradual increase in external user calls might reflect legitimate business growth — or it might reflect a slow-burn social engineering campaign.
Incident-driven deep dive with TM02 and TM04. If you suspect a compromise or receive a report of a suspicious call, use TM02 and TM04 to check whether any of your users have been calling out to attacker-controlled domains. Cross-reference with TM01/TM03 to build a timeline of the attacker’s activity.
Domain allowlisting. Over time, your TM01 reports build a natural picture of which external domains your organization legitimately interacts with. Anything outside that known set is, by definition, anomalous. Some organizations go further and use this data to inform their Teams external access policies, restricting communication to only known and approved domains.
Why This Matters More Than Ever
Microsoft has been rolling out progressively stronger impersonation protections — brand impersonation alerts for chat (late 2024), domain impersonation detection (December 2025), and brand impersonation alerts for calls (February 2026). These are welcome improvements, but they share a fundamental limitation: they are point-of-contact defenses that depend on individual users making correct decisions under pressure.
The attackers know this. That’s why they’ve shifted to voice calls (where warnings are less prominent), why they pad display names with whitespace to hide the “(External)” label, and why they create domains that pass a quick visual check. The arms race at the UI level will continue, and attackers will continue to find ways around it.
What they cannot circumvent is a historical, aggregated view of every external domain that has interacted with your organization. They can trick an individual employee in the moment, but they cannot erase their domain from your QueueMetrics reports. Every call they make — answered or not — leaves a trace in TM01 through TM06.
That trace is your advantage. Use it.
Quick Reference: QueueMetrics Teams Data Blocks
| Block | Code | What It Shows | Use It For |
|---|---|---|---|
| External Callers | TM01 | Completed calls from external/guest callers, by domain | Spotting unfamiliar or suspicious inbound domains |
| External Callees | TM02 | Completed calls to external/guest callees, by domain | Detecting outbound calls to suspicious domains |
| External Callers (All) | TM03 | All calls (answered + missed) from external/guest callers | Revealing spray campaigns and failed attempts |
| External Callees (All) | TM04 | All calls (answered + missed) to external/guest callees | Full outbound exposure including unanswered |
| Caller Classification | TM05 | All calls by caller type (phone, internal, guest, external) | Baseline monitoring and anomaly detection |
| Callee Classification | TM06 | All calls by callee type (phone, internal, guest, external) | Baseline monitoring and anomaly detection |
All blocks are available since QueueMetrics version 24.11
About QueueMetrics for Teams
QueueMetrics for Teams is a call analytics and reporting platform by Loway that connects to your Microsoft Teams telephony environment via the Graph API. It gives you full historical visibility into all incoming and outgoing calls — including lost calls — across people, auto-attendants, queues, conferences, and voicemails. With over 200 available metrics, it lets you track SLA compliance, agent productivity, call volumes, wait times, and caller patterns in detail. It works with any Teams telephony setup — Microsoft Calling Plans, Direct Routing, or Operator Connect — with nothing to install and no changes to your existing configuration.
QueueMetrics for Teams is available on the Microsoft Marketplace. A free trial is available — no credit card required.