The Cybersecurity team have recently been made aware of a new type of targeted attack; this time using Microsoft Teams.
In this scenario, the cybercriminal pretended to be a member of UBC’s IT Support team and convinced the staff member to share their screen and allow remote control. Unlike past scams that depend on outside software such as AnyDesk or TeamViewer, this attacker relied only on the built-in features of Microsoft Teams.
This tactic is known as “Living Off the Land” (LOTL), where criminals exploit tools we already use every day. It makes their attacks harder to detect because nothing new needs to be installed.
What makes this case especially serious is that the targeted individual was an Executive Assistant—a role with potential access to sensitive information and senior leadership. This shows the attacker was not acting randomly, but had done their homework and deliberately chosen a person likely to hold valuable access and knowledge.
Fortunately, the staff member quickly realized something wasn’t right, reported it immediately, and our Cybersecurity team contained the threat. No data was stolen, and nothing was encrypted.
Why This Matters
This incident shows that attackers are getting creative and using trusted collaboration platforms like Microsoft Teams to launch attacks. By impersonating IT support and creating a sense of urgency, they hope to trick people into granting access to their devices.
The fact that an Executive Assistant was targeted highlights how calculated and strategic these attacks can be. Criminals are deliberately seeking out people who may have access to sensitive data or senior leadership—making the potential impact even greater.
In short: if it can happen to one person, it can happen to anyone.
What You Can Do
Here are the key ways to protect yourself:
- Be cautious of unsolicited requests: Legitimate UBC IT staff will never ask you to grant remote control of your screen through Teams or any other platform without prior communication.
- Check who you’re talking to: If someone claims to be IT support, double-check their email address or Teams profile before responding.
If you’re unsure, contact IT directly through official channels. - Report suspicious activity right away: If something feels off, trust your instincts. Report it immediately to UBC Cybersecurity at security@ubc.ca. Quick reporting is often the difference between stopping an attack and a successful compromise.
Bottom Line
Attackers are adapting their methods and trying to blend in by using the same tools we use every day. Staying cautious, asking questions, and reporting suspicious behaviour are the best ways to keep yourself, and UBC safe.