KongTuke Hackers Pivot to Microsoft Teams, Achieve Corporate Access in Under Five Minutes

The threat actor KongTuke has shifted its initial access operations to Microsoft Teams, leveraging the platform's trusted communication environment to compromise corporate networks with alarming speed. Security researchers have documented cases where the group gained persistent access to targeted organizations in as little as five minutes, exploiting the inherent trust employees place in internal communication tools.

Operating as an initial access broker—selling compromised network footholds to other threat actors—KongTuke relies heavily on social engineering rather than technical exploits. By initiating contact through Microsoft Teams, the group bypasses traditional email security controls that organizations have long prioritized. The technique exploits a gap in many corporate security programs: while email phishing receives constant attention, Teams-based approaches fly under the radar because they originate from seemingly legitimate internal sources. The group, also tracked under the alias Kong Gorilla, has demonstrated adaptability in its methods, continuously refining social engineering tactics to match enterprise defense improvements.

The implications for enterprise security are significant. Microsoft Teams is embedded deeply in Microsoft 365 environments, meaning successful compromise can provide a gateway to SharePoint, OneDrive, and adjacent collaboration tools. Security teams face pressure to extend anti-phishing vigilance beyond email to all communication platforms. The rapid execution timeline—five minutes to persistent access—underscores how little margin for error exists when human trust becomes the attack surface. Organizations relying heavily on Teams for internal communication should treat unexpected messages from external tenants as a high-priority threat vector, experts warned.