‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft Teams

Security researchers have issued a warning over a “seismic shift” in how threat actors are conducting phishing campaigns, with traditional email-based attacks no longer the primary vector.

KnowBe4’s Phishing Threat Trends Report found hackers are leveraging new “touchpoints” when targeting victims, with calendar invites and messaging tools now frequently used.

Indeed, across the last year, the company recorded a 49% increase in calendar invite-based phishing attacks, while

Jack Chapman, SVP of Threat Intelligence at KnowBe4, said the report shows “the inbox is no longer the only frontline for coordinated social engineering attacks”.

“Cyber criminals are actively broadening the email threat landscape,” he said.

“As businesses rely on tools for real-time collaboration, cyber criminals have added this to their attacks, along with targeting people’s calendars. This attack method targets people and technology together. This escalation in scale of threat brings a whole new issue to the forefront.”

Microsoft Teams attacks are surging

KnowBe4 warned that threat actors are increasingly leveraging impersonation tactics when conducting phishing campaigns, with legitimate platform and brand names often used to dupe users.

The company recorded a 41% increase in Microsoft Teams-based attacks between October 2025 and March 2026, for example.

These attacks prey on the fact that Teams is “built for speed and informality”, researchers noted, with victims often forgoing security considerations when responding to communications.

“Attackers are banking on this perceived safety, turning our primary collaboration tool into their path of least resistance,” the report states.

Notably, the report warned Teams now forms a core component of “multi-channel” attacks. Nearly one-in-five (17.38%) of all Teams-based attacks are now multi-channel, the study found.

Email still remains the primary attack vector, yet the workplace collaboration platform allows threat actors to “extend the kill chain and create more avenues for success”.

In these cases, threat actors have been observed initiating contact with a victim via email communications, then following up with a message via Microsoft Teams.

This, the report noted, allows them to essentially validate their identity across different environments.

“These threats are particularly dangerous as Teams allows an attacker to communicate consistently with a victim over multiple messages,” the report explains.

“This enables them to build a rapport and a sense of legitimacy that is much harder to achieve through traditional channels.”

KnowBe4 attributed the surge in Teams-based attacks with the launch of the “Chat with Anyone” feature, which allows users to initiate chats using an email address.

Teams is also a go-to platform for threat actors impersonating company personnel, the report found, with a host of roles and professions often impersonated. These include:

• IT professionals
• Human resources professionals (and platforms such as Workday)
• CEOs and company executives
• Finance personnel

“Social engineering is becoming more targeted, making it more difficult to discern what is legitimate versus what is malicious,” said Chapman.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.