Let’s talk about something that can easily look like normal workplace communication, but is actually a common method used to trick employees into engaging with the wrong person.

A recent incident involved a Microsoft Teams message that appeared to come from a senior executive. The display name looked familiar, so it seemed legitimate at first glance.

However, before the message could be read, Teams displayed a prompt:

“This person is outside your organization. Do you want to accept this chat? YES / NO”

Once the user clicked YES, the chat opened and the full message became visible.

The conversation started with a simple question:

“Are you in the office today?”

After a response was given, another question followed:

“Who is in the Finance office today?”

While these questions appear harmless, they were part of a phishing attempt using impersonation and social engineering techniques.

Why the “YES / NO” Prompt Matters

The first control point in this attack is the chat acceptance prompt.

Clicking YES means:

• You are allowing communication with an external user
• You are opening a conversation that has not been verified
• You are trusting identity based only on appearance

It does NOT confirm the person is who they claim to be.

Attackers rely on users accepting quickly without checking details.

What Makes This Type of Attack Dangerous

This type of phishing is effective because it:

• Uses familiar names to build instant trust
• Operates inside everyday tools like Microsoft Teams
• Starts with normal conversation instead of direct requests
• Collects small pieces of information that seem harmless

Over time, these small details can be combined to support:

• Impersonation of staff or executives
• Targeted phishing messages
• Fraud attempts (e.g., financial requests)
• Mapping of internal structure and key personnel

How to Recognize This Type of Attack

Be cautious when you notice any combination of the following:

• A familiar name is shown, but the account is marked as External or Outside your organization
• There is no previous chat history with the sender
• The message comes unexpectedly from senior staff or leadership
• The conversation begins with casual or unrelated workplace questions
• There are requests about staff presence, departments, or availability
• There is no clear business reason for the conversation
• You are prompted to accept a chat before viewing messages
• The interaction focuses on internal people, roles, or locations

 If several of these appear together, treat the message as suspicious.

What You Should Do

Before accepting any chat request:

• Do not click YES automatically
• Verify the sender using a trusted channel (call, internal directory, known email)
• Check carefully for External or Guest indicators
• Avoid sharing information about staff, departments, schedules, or operations
• Report suspicious chat requests immediately to IT or Security

If already accepted:

• Stop engaging if anything feels unusual
• Do not continue the conversation
• Report it immediately

Common Thinking to Avoid

• It looks like my manager, so it must be safe”
• It’s just a simple question
• Nothing sensitive was asked
• I already accepted, so it should be fine

These assumptions are exactly what attackers depend on.

Final Reminder

Phishing is not always about malicious links or attachments.

Sometimes it begins with:

• A familiar name
• A simple question
• A chat request prompt

The real risk is not the platform — it is trusting without verification.

Pause before you respond.
Verify before you accept.
Think before you share.

🔐 CyberDesk – Protecting Our Digital Workplace