

CEO Fraud attacks are not new in the security landscape, but the way they have been executed since the second half of 2025 shows an increasingly patient, better-informed operation that seeks to be harder to detect. The essence of the scheme remains the same: a criminal poses as a high-ranking executive, usually the CEO, a president, or a director, to convince an employee to execute a transfer, buy gift cards, provide sensitive company data, or, in less common cases, run a malicious file. What has changed is the level of preparation behind each approach and, mainly, the choice of channels used to reach the victim. Among them, Microsoft Teams has emerged as the most concerning vector.
The Resonant team has observed recent cases targeting large national companies, revealing an active and evolving trend in 2026, with a significant increase in the incidence of attempts and continuous refinement of tactics. Below is an overview of how the scam is set up, from the initial information gathering to the execution, passing through the flaws that make Teams such a fertile ground for fraudsters.
No successful CEO Fraud approach starts with improvisation. Before any contact, the attacker invests in the reconnaissance phase, and this is where much of the scam’s effectiveness lies. The objective is twofold: to identify whose identity will be forged and which employee will be approached.
The gathering relies heavily on open sources such as social networks and corporate websites. Platforms like LinkedIn and corporate information services like ZoomInfo allow the criminal to accurately map the target company’s structure, locating the names holding high-level positions that will serve as a facade for the fraud.
Since executives are usually public figures, gathering a name and a photograph to create a convincing fake profile is a trivial task. Often, the actual LinkedIn profile picture or images featured in news articles are reused to give a veneer of legitimacy to the fraudulent profile.
Once the executives to be impersonated are defined, the attacker turns their attention to the victims. Here, there is a clear preference for employees in the financial sector and, specifically, the accounts payable areas. The logic behind this is that these are the people who have access to payment systems and corporate accounts, meaning the real ability to move money on behalf of the company. To reach them, the criminal resorts to data leaks and OSINT techniques, looking for contact phone numbers, corporate email addresses, and any other data that enables a direct approach.
The result of this stage is a fake profile built on true information, targeting a victim carefully selected for their position in the organization’s financial chain. It is this combination of a legitimate appearance and the right target that initiates the scam.
The choice of Microsoft Teams as the approach channel does not stem from a critical technical vulnerability in the platform, but from the exploitation of configuration flaws and blind spots in users’ perception. Resonant’s investigation of recent cases identified two distinct scenarios of abuse.
The first is the abuse of external access through federations. By default, Teams allows users from different organizations or with non-corporate accounts (e.g., [email protected]) to exchange messages directly. Each company operates within an isolated environment, called a “tenant”, and the federation acts as a bridge between different tenants. The criminal exploits this legitimate feature by creating their own tenant with a fraudulent domain and configuring an account whose display name is identical to the target executive’s. From then on, they simply use the permissive federation setting to contact the company’s employees directly via Teams, appearing to be a legitimate user.
Teams inserts, by default, the “External” tag in this type of communication, which should serve as a warning. However, the crook bets that the victim will end up focusing on the display name, the forged photo, and the authoritative discourse present in the messages, simply ignoring the security indicator. The configuration flaw that enables this scenario is keeping the federation open to any domain, instead of restricting it to a previously approved list of partners.
The second scenario is more serious and involves the compromise of service accounts. These are Microsoft 365 accounts created for specific operational purposes, such as shared mailboxes, accounts linked to meeting rooms and equipment, or accounts used by automated systems and integrations.
Due to their nature, such accounts often suffer from limitations that make them easy targets: lack of multifactor authentication, weak or rarely changed passwords, and reduced monitoring compared to standard user accounts. These factors pave the way for account compromise through several known techniques. Such as credential stuffing, targeted phishing, or exploiting password reset mechanisms.
Once in possession of one of these accounts, the attacker is already infiltrated into the company’s environment. They then change the compromised account’s display name to that of the target executive, insert the photo obtained via OSINT, and begin contacting employees from within the tenant itself. This is exactly what makes the vector so dangerous: in this case, the message displays no external origin indicator. For whoever receives it, the communication appears completely legitimate, originating from within the organization itself, without any visual warning sign.
The initial text usually adopts a formal language, simulating corporate communication. In many cases, the fake executive opens the conversation by asking if the employee is in the office and if they have any important activities to do soon.
Once the answers are obtained, the criminal requests screenshots with information about the working capital available in the company’s accounts and then asks to send transactions to accounts under their control. The entire sequence is designed to keep the victim within a flow of apparent normality, leaving no room for questioning.
The driving force behind CEO Fraud is usually financial, and this explains both the choice of victims and the requests made. In the most frequent cases, the criminal requests the purchase of gift cards or the transfer of funds from corporate accounts to accounts they control. To reinforce the pressure, it is common for them to claim that it is a pending, urgent, or confidential payment, a combination that increases the chance of the victim acting on impulse and ignoring internal procedures.
In other cases, the goal changes: instead of money, the scammer induces the victim to execute malicious files capable of stealing credentials or granting remote access to internal systems. This variant is associated with more advanced cybercriminal groups and has been mapped since 2020.
The potential impact, therefore, goes beyond immediate financial loss. A successful attack can compromise the organization’s financial and operational integrity, especially when the entry point is a legitimate internal account.
The good news is that, because it relies on configuration and awareness flaws, CEO Fraud via Teams can be fought with concrete measures. On the technical side, the recommendation is to restrict the federation and any communication with external domains, replacing the open configuration with a list of authorized partner domains, or completely disable external access if it is not necessary.
Reinforcing the display of the “External” tag on all communications coming from outside the tenant and training users to recognize it is equally important.
Care for service accounts deserves special attention. It is advisable to conduct a complete inventory, identify owners, eliminate obsolete accounts, and review permissions. Where feasible, multifactor authentication and Conditional Access should be applied to accounts where MFA cannot be implemented without operational impact, in addition to restricting access to authorized IPs and devices.
Monitoring changes in display names, especially of service accounts, helps detect preparation for this type of attack, and removing Teams licenses from non-human accounts helps reduce the attack surface.
In terms of processes and awareness, the most effective defense is to establish an out-of-band verification protocol. Every request for payment, transfer, or sensitive action received via Teams, WhatsApp, or email must be confirmed through a second channel before being executed, regardless of the apparent identity of the requester. Added to this is specific training on CEO Fraud with practical examples of Teams approaches, a clear policy communicating that legitimate senior management requests never bypass internal procedures, and continuous monitoring of executives’ and employees’ exposure in open sources.
Given the increase in incidence and the evolution of tactics, CEO Fraud is no longer a sporadic threat but has established itself as a priority vector. And, since the weak point exploited is the trust placed in channels and people, defense needs to start exactly where the attack aims: the employee’s ability to recognize the warning sign that the criminal bets will be ignored.