Insights
“Hi, this is IT support. We noticed unusual activity on your account. Can you give us a call so we can resolve it?”
At first glance, it doesn’t look like phishing at all.
There’s no suspicious attachment. No strange email domain. No obvious red flags that usually trigger caution. The message arrives in the same place coworkers trade updates, share files, and ask quick questions throughout the day.
Which is exactly the point.
In several recent campaigns, attackers have started using collaboration platforms inside Microsoft 365 and Google Workspace environments as the delivery channel for social engineering attacks. Instead of trying to slip past email filters, they insert themselves directly into business workflows—using guest invitations, internal messaging, and trusted notifications to start the conversation.
By the time the victim realizes something is wrong, the interaction has already moved beyond the platform itself. A phone call is placed. Instructions are followed. Credentials or access are handed over voluntarily.
For MSPs protecting SMB environments, this marks an important shift in phishing tactics. The attack no longer begins in the inbox. It begins inside the tools employees trust to get their work done.
Phishing Has Moved Into Collaboration Platforms
For years, phishing defenses have primarily focused on email. Spam filters, attachment scanning, and domain reputation systems have made traditional phishing campaigns harder to execute at scale.
Attackers have noticed.
Instead of trying to defeat increasingly sophisticated email security controls, many campaigns now begin inside the collaboration tools organizations rely on every day. Messaging platforms, shared workspaces, and internal notifications provide a direct path to users that bypasses many of the defenses designed for email-based attacks.
Several recent campaigns have demonstrated how easily these platforms can be abused. Attackers can send guest invitations, initiate chats, or impersonate internal support personnel in tools such as Microsoft Teams, Slack, or Google WorkSpace environments like Chat and shared drives. Because these interactions occur inside trusted business tools, they often carry an implicit level of credibility that external email messages lack.
From the user’s perspective, the request looks like a normal part of work activity. A colleague asks for help. A support technician requests verification. A partner reaches out through a shared workspace such as SharePoint, OneDrive, or Google Drive.
These scenarios feel routine because collaboration platforms are designed to make communication frictionless. That same design also makes them an appealing environment for social engineering.
For MSPs protecting SMB environments this shift expands the attack surface beyond the inbox. Security strategies that focus only on email filtering leave a growing portion of the communication landscape unprotected.
The phishing message has not disappeared. It has simply moved to a different place.
AI-Driven Social Engineering at Scale
Generative AI has changed how social engineering campaigns are built and delivered. Instead of manually crafting phishing messages or relying on obvious scam templates, attackers can now generate convincing communications in seconds and adapt them to different targets with minimal effort.
The shift affects both the quality of the messages and the scale of the campaigns.
AI-Generated Phishing Content
Modern AI tools can produce phishing messages that closely resemble normal business communication. The language reads naturally, the tone matches workplace conversations, and the message structure often mirrors legit vendor or support interactions.
This removes many of the warning signs users were trained to watch for. Grammatical errors, awkward phrasing, and suspicious formatting were once common indicators of phishing. AI-generated messages rarely contain these mistakes.
Attackers can also personalize messages quickly. A campaign may reference a specific SaaS platform, collaboration tool, or project workflow used by the target organization. When these messages arrive inside environments connected to Microsoft 365 or Google Workspace, they blend easily into everyday communication.
AI-Assisted Malware Targeting Developers
AI is also being used to support attacks that target technical users, including developers and engineering teams.
In some campaigns, attackers publish malicious code repositories that appear to provide useful tools or libraries. These repositories are often accompanied by convincing documentation, installation instructions, and example scripts generated with AI assistance. Developers searching for solutions to a problem may encounter these resources and unknowingly execute malicious code.
Other campaigns use fake troubleshooting guides or support scripts distributed through forums, collaboration platforms, or developer communities. When executed, these scripts can install backdoors, capture credentials, or download additional malware.
The combination of social engineering and automated payload delivery allows attackers to move from conversation to compromise quickly.
Why AI Changes the Economics of Attacks
The biggest impact of AI in phishing campaigns is operational efficiency.
Generating convincing messages no longer requires significant time or expertise. Attackers can create campaigns faster, test different approaches, and adapt messaging based on what works. AI also enables higher levels of targeting, allowing attackers to tailor messages to specific industries, tools or job roles.
At the same time, the technical skill required to launch these campaigns continues to decrease. Tools that assist with writing messages, generating malware, or identifying targets are widely available.
For MSPs protecting SMB environments, this shift means social engineering campaigns can appear more credible and occur more frequently. Defenses that rely solely on users recognizing suspicious messages are becoming less reliable as AI-generated attacks continue to improve.
Why Collaboration-Based Phishing is More Dangerous for SMBs
The risks created by collaboration-platform phishing are amplified in small and mid-sized business environments. These organizations rely heavily on cloud productivity suites such as Microsoft 365 or Google Workspace, where messaging, file sharing, meetings, and project coordination all happen within the same ecosystem.
For employees, these tools function as the center of daily work. Questions from coworkers, requests from vendors, and support conversations often take place inside the same collaboration spaces. When a message appears there, it carries a level of credibility that external communications don’t always have.
Security monitoring in SMB environments is rarely designed to analyze these interactions in detail. Most organizations don’t operate a dedicated security operations center, and many rely on built-in protections provided by their cloud platforms. These protections are valuable, but they’re primarily designed to detect known threats rather than subtle social engineering attempts that unfold through legitimate workflows.
The result is a behavioral blind spot. Employees often assume that messages appearing inside trusted collaboration platforms are legitimate by default.
For managed service providers, the challenge becomes even more complex.
MSPs typically manage multiple Microsoft 365 or Google Workspace tenants across many client organizations. Each client environment may have slightly different authentication policies, user access rules, and security configurations. Collaboration platforms add another layer of communication that MSPs must consider when evaluating potential identity risks.
Visibility into these interactions can be limited, particularly when attacks rely on normal messaging features rather than malicious files or links. When an account is compromised, the attacker may gain access to conversations, shared files, and internal contacts across the organization.
Because these platforms connect people, applications, and data, a single compromised identity can quickly affect far more than one user account. For MSPs responsible for protecting multiple clients, the potential blast radius of that compromise becomes a serious concern.
Why Email-Centric Security Models Fall Short
For many organizations, phishing defense strategies were built around one primary assumption: suspicious messages arrive through email.
Over the past decade, significant investment has gone into improving email security. Secure email gateways can scan attachments, analyze embedded links, and evaluate sender reputation to identify potentially malicious messages. These controls have become highly effective at detecting many traditional phishing campaigns.
Collaboration platforms operate outside much of this filtering infrastructure.
Messages exchanged through chat platforms, shared workspaces, or internal messaging tools often pass directly between users without the same inspection mechanisms applied to email traffic. When attackers initiate conversations through these platforms, the interaction can bypass the defenses that security teams rely on most heavily.
The structure of these platforms can also change how attacks unfold. Instead of delivering malware through attachments or directing users to phishing pages through links, many campaigns rely on conversational manipulation. A message may request a phone call, guide a user through troubleshooting steps, or prompt them to verify credentials during what appears to be a routine support interaction.
Authentication plays a central role in these environments. Collaboration platforms trust that users who have successfully logged in are legitimate participants in the workspace. When an attacker gains access to an account—whether through credential theft, MFA fatigue, or session token abuse–the platform itself may treat the activity as normal.
From the system’s perspective, the user is already authenticated.
For MSPs protecting SMB clients, this creates a difficult security problem. Traditional phishing defenses focus on identifying malicious messages before they reach the user. Collaboration-based attacks often begin after authentication has already occurred, which shifts the defensive focus away from message filtering and toward identity protection.
Understanding that shift is critical when designing defenses for modern cloud environments.
Identity-Centric Defenses MSPs Should Promote
When collaboration platforms become part of the phishing attack surface, defensive strategies need to focus on how identities interact with those platforms rather than how messages are received.
For MSPs, this means evaluating authentication, session behavior, and access governance across the entire SaaS environment. The goal is not to block communication tools, but to ensure that access to them follows consistent and verifiable identity controls.
Several identity-focused measures help reduce the risk of account compromise.
Hardened MFA Enforcement
Multi-factor authentication remains one of the most effective protections against credential theft, but its value depends on consistent enforcement.
In many SMB environments, MFA policies evolve unevenly. Some users are protected across all services, while others authenticate with only a password when accessing certain applications. These gaps often appear as new tools are introduced or as access policies change over time.
MSPs can reduce this exposure by enforcing MFA consistently across Microsoft 365 or Google Workspace environments and extending those policies to connected SaaS applications.
Context-Aware Authentication
Authentication decisions can also incorporate contextual signals that help identify unusual access attempts.
Device-aware policies, IP range restrictions, and time-based access rules allow MSPs to define conditions under which authentication should be challenged or restricted. For example, a login attempt from an unfamiliar device or outside expected network ranges can trigger additional verification before access is granted.
These controls add an additional layer of protection without disrupting normal workflows for trusted users.
Session Governance
Account compromise doesn’t always occur during the login processes. In some cases, attackers obtain session tokens that allow them to access services without re-entering credentials.
Session governance helps reduce the window of opportunity for this type of attack. Defined session lifetimes, reauthentication triggers for sensitive actions, and policies that invalidate sessions when risk conditions change all limit the usefulness of stolen tokens.
For collaboration platforms where conversations and files are continuously accessible, these controls help prevent long-lived sessions from becoming persistent entry points.
Centralized Authentication
Managing authentication policies across dozens of SaaS applications individually is difficult for both SMBs and MSPs.
A centralized identity provider layer allows authentication to be managed in one place while extending consistent policies across connected applications. Single sign-on integrations using standards such as SAML allow organizations to route access through this identity layer rather than relying on application-specific login settings.
This approach enables MSPs to enforce standardized authentication policies across SaaS environments while maintaining visibility into how identities interact with applications. It also allows additional safeguards to be applied to more sensitive applications without requiring complex, app-specific configurations.
The MSP Imperative: Securing Trust-Based Workflows
Collaboration platforms have become central to how modern organizations operate. Conversations, approvals, file sharing, and problem-solving now happen inside messaging environments connected to Microsoft 365 or Google Workspace. These tools are no longer just communication channels—they are part of the operational fabric of the business.
That shift changes the role identity plays in security.
Every message, file, or request within these platforms depends on the assumption that the person behind the account is legitimate. When that assumption fails, the attacker gains access to the same workflows employees rely on every day.
For MSPs managing SMB environments, protecting those workflows requires more than detecting suspicious messages. It requires governing how identities interact with collaboration platforms in the first place.
Identity governance becomes the enforcement layer that determines:
Who can access collaboration environments and how that access is maintained
How authentication must occur and be consistently enforced
What conditions are required for continued access and when revalidation is needed
This responsibility often extends across multiple tenants and client environments. MSPs must apply consistent authentication policies, maintain visibility into identity activity, and ensure that security controls remain aligned as new applications and communication tools are adopted. Approaching phishing defense from this perspective shifts the focus of security operations. Instead of reacting to individual phishing messages, MSPs can concentrate on strengthening the identity infrastructure that underpins everyday business communications. When identity controls are structured properly, collaboration platforms remain productive environments for users while presenting far fewer opportunities for attackers.
How HENNGE Identity Helps Reduce Collaboration-Based Phishing Risk
Collaboration platforms rely heavily on the assumption that authenticated users are legitimate participants in the workspace. When attackers compromise credentials or session tokens, that assumption can allow them to interact with employees and systems as if they were trusted users.
Strengthening authentication at the identity layer helps reduce the likelihood of that scenario.
HENNGE Identity operates as a federated identity provider positioned in front of Microsoft 365 and Google Workspace environments. Instead of relying solely on the default authentication mechanisms of those platforms, organizations can route access through a centralized identity layer that enforces consistent authentication policies.
This approach allows MSPs to apply multi-factor authentication requirements across collaboration tools and connected SaaS applications in a uniform way. Policies can be managed centrally rather than configured independently within each application, helping reduce gaps that often emerge as environments evolve.
Additional context can also be incorporated into authentication decisions. Access policies may evaluate signals such as device status, IP ranges, or time-of-day conditions before granting access to collaboration platforms or sensitive applications. These controls provide an additional layer of verification when activity falls outside normal patterns. Device certificates can also verify that login attempts originate from approved workstations or devices. Even when credentials are exposed through phishing or social engineering, authentication requests from unrecognized devices can be denied. Because authentication is tied to the device itself, users can access systems without relying on passwords, reducing friction while strengthening security. Access can also be revoked immediately if a device is lost, replaced, or no longer trusted.
Federated authentication also reduces reliance on platform-specific login experiences. When authentication is managed through an external identity provider, attackers attempting to imitate a familiar login page must first identify and replicate that identity layer, which increases the complexity of phishing campaigns that target user credentials.
For MSPs responsible for multiple client environments, centralized identity governance also improves operational visibility. Authentication policies can be applied consistently across tenants while providing insight into identity activity across collaboration platforms and SaaS services.
By strengthening authentication and access governance at the identity layer, MSPs can reduce the likelihood that compromised credentials turn into full access to collaboration workflows.
Restoring Control Over Collaboration-Based Phishing
Phishing is no longer confined to the inbox. As collaboration platforms have become central to daily work, they have also become attractive entry points for attackers. Messages that arrive through trusted workspaces, chats and shared environments often feel routine, which makes them powerful tools for social engineering.
For MSPs protecting SMB clients, this shift expands the scope of phishing defense. Filtering suspicious messages is still important, but it’s no longer sufficient on its own. The critical question becomes how identities authenticate, how access is evaluated, and how sessions are managed once users enter collaboration platforms connected to Microsoft 365 or Google Workspace.
Identity controls ultimately determine whether a phishing attempt leads to a brief interaction or a full account compromise. When authentication policies, session governance, and access conditions are structured properly, attackers encounter far fewer opportunities to misuse legitimate accounts.
MSPs that take a proactive approach to identity governance can strengthen the security of collaboration workflows while maintaining the productivity these tools enable.
If you’re evaluating how collaboration-based phishing could impact your client environments, identity governance is a critical place to start. HENNGE Identity helps MSPs strengthen authentication, enforce consistent access policies, and reduce the risk of compromised accounts across Microsoft 365, Google Workspace, and connected SaaS applications.
To learn more about how HENNGE Identity can help prevent phishing and strengthen identity security for your clients, contact us to start the conversation. You can also subscribe to the blog for ongoing insights and analysis on emerging cybersecurity threats affecting MSPs and SMB environments.
