Phishing has come a long way from the obvious “you’ve won a prize” emails that used to clog up inboxes. Most employees are far more aware of suspicious emails now, and organisations have invested heavily in filtering, training, and simulations to catch them out.
So attackers have adapted.
Instead of focusing purely on email, they’re increasingly moving into the tools your people use every day to get work done. Platforms like Microsoft Teams and Slack have become central to how organisations communicate, collaborate, and share information, and that shift has opened up a new, very effective attack surface.
This isn’t about replacing email phishing, but expanding it into spaces where people feel more comfortable, more trusting, and far less on guard.
Why Internal Platforms Feel Safer Than Email
There’s a simple reason attackers are targeting internal messaging tools: people trust them.
Email has trained us to be cautious. We check sender addresses, question unexpected attachments, and think twice before clicking links. Messaging apps, on the other hand, feel fast, informal, and familiar. They’re where quick questions happen, files are shared, and decisions get made in real time.
That change in mindset matters.
IBM’s Cost of a Data Breach Report consistently shows that stolen credentials are one of the most common ways attackers gain access to our systems. Once inside, those accounts can be used to send convincing internal messages that are far harder to detect.
When a message appears in Teams or Slack, it doesn’t feel like an external threat. It feels like a colleague asking for help, sharing a document, or requesting something urgent. That assumption lowers people’s guard without them even realising it.
How Attackers Are Exploiting Messaging Apps
The mechanics of these attacks are not particularly complex. What makes them effective is the context.
With remote and hybrid working widely adopted, collaboration platforms have become central to daily operations. Data from the Office for National Statistics shows just how embedded these tools now are in modern workplaces, which naturally makes them an attractive target for attackers.
One of the most common scenarios starts with a compromised account. An attacker gains access to a legitimate user, often through stolen credentials from a previous breach or a successful phishing email. From there, they begin sending messages internally.
Because the account is real, everything checks out. The name is familiar, the profile picture is correct, and the tone matches how that person usually communicates.
A typical message might look like a quick request to review a document, approve an invoice, or check a shared link. It might reference an ongoing project or use language that feels completely normal within the organisation.
The informal nature of messaging platforms plays a big role here. Messages are shorter, less structured, and often sent in a hurry. There’s less scrutiny, fewer checks, and a stronger assumption that what you’re seeing is legitimate.
Files and links are also shared far more freely. In email, an unexpected attachment might raise suspicion. In Teams or Slack, it’s often part of everyday workflows.
The Risk of Speed and Informality
Internal messaging platforms are designed for speed. That’s exactly what makes them valuable, and exactly what makes them risky.
When someone receives a message asking for something urgent, there’s often pressure to respond quickly. Whether it’s a manager asking for information, a colleague requesting access, or a finance-related task that needs immediate attention, the instinct is to act rather than question.
This is where attackers gain an advantage.
They don’t need to create highly sophisticated messages. They just need to create believable ones that fit the environment. A simple “can you take a look at this” with a link is often enough.
The more informal the communication style, the easier it is to blend in. There’s no expectation of perfect grammar or formal structure. In fact, overly polished messages can sometimes look more suspicious than casual ones.
This shift challenges a lot of traditional phishing awareness training, which tends to focus heavily on spotting obvious red flags in emails. Those signals are much less relevant in a messaging environment.
Real-World Indicators That This Is Growing
There’s growing evidence that attackers are expanding beyond email and actively targeting the tools employees rely on every day.
The UK National Cyber Security Centre continues to warn that phishing remains one of the most common and effective attack methods, but the way it’s delivered is evolving alongside workplace habits. As communication shifts towards collaboration platforms, attacker behaviour is shifting with it.
At the same time, research from Verizon shows that 74% of breaches involve a human element, including phishing and the use of stolen credentials. Once attackers gain access, internal tools like messaging platforms become a natural next step, allowing them to move laterally and target other employees in a far more convincing way.
Data from the UK Department for Science, Innovation and Technology also reinforces the scale of the issue, with phishing consistently reported as the most common type of cyber attack experienced by UK organisations. While much of this is still associated with email, it highlights just how effective phishing still is, regardless of the channel used.
What matters here isn’t just that these attacks are happening, but how they’re adapting. As organisations continue to rely on tools like Microsoft Teams and Slack for day-to-day communication, attackers are following that shift, embedding themselves in environments that feel familiar, trusted, and far less likely to be questioned.
Why Traditional Security Awareness Training Falls Short
Most security awareness programmes are still heavily centred on email.
Employees are taught to hover over links, check sender addresses, and look for signs of spoofing. Those are still important skills, but they don’t fully translate to messaging platforms.
In Teams or Slack, there’s no obvious sender address to verify in the same way. The message often comes from someone the employee already knows. The context feels internal, not external.
This creates a gap between what people are trained to look for and what they actually experience day to day.
If employees are only trained to spot phishing in email, they’re far more likely to miss it in other channels.
What Organisations Should Do Next
Addressing this risk doesn’t require a complete overhaul, but it does require a shift in focus.
The first step is expanding awareness beyond email. Employees need to understand that phishing can happen anywhere communication happens. That includes messaging platforms, collaboration tools, and even shared documents.
Training should include real examples of what phishing looks like in Teams or Slack. This helps people recognise that the format may be different, but the intent is the same.
It’s also important to reinforce a simple but often overlooked message. Internal doesn’t always mean safe.
Encouraging verification is key. If a request feels unusual, even if it comes from a colleague, employees should feel comfortable double-checking through another channel. That could be a quick call, a separate message, or speaking to the person directly.
Simulations can also play a valuable role here. Instead of focusing only on email-based scenarios, organisations can run exercises that mimic real messaging app interactions. This helps build familiarity and confidence in spotting suspicious behaviour in a more realistic context.
Finally, organisations should look at how access and accounts are managed. Since many of these attacks rely on compromised credentials, strengthening authentication methods and monitoring unusual behaviour can significantly reduce the risk.
Strengthen Your Defence Where It Matters Most
As phishing moves beyond email and into internal platforms like Microsoft Teams and Slack, organisations need to prepare employees for the threats they’re most likely to face.
With MetaCompliance’s advanced phishing simulation platform, you can mirror real-world attacks through targeted, automated campaigns tailored by role and risk. This helps employees recognise suspicious messages, respond with confidence, and build lasting awareness, while making sure your programme evolves alongside emerging threats.
Combined with clear reporting and actionable insights, you can track how behaviour changes over time, identify areas of risk, and demonstrate measurable progress to stakeholders.
If phishing is evolving, your approach to simulation and training should evolve with it. Get in touch with our team today to find out more.
Phishing FAQs
Can phishing really happen through internal messaging apps?
Yes, and it’s becoming more common. Attackers often use compromised accounts to send messages through trusted platforms like Microsoft Teams or Slack, making the messages appear legitimate.
Why are employees more likely to trust these messages?
Internal tools feel familiar and are used daily for collaboration. Messages are often informal and fast-paced, which reduces the level of scrutiny people apply compared to email.
What should employees look out for in messaging platforms?
Unexpected requests, urgent actions, unfamiliar links, or messages that feel slightly out of context are all warning signs, even if they come from a known colleague.
How can organisations reduce this risk?
By expanding awareness training beyond email, encouraging verification of unusual requests, and running simulations that reflect real messaging scenarios.
Is email still a risk, or has it shifted completely?
Email remains a major attack vector, but attackers are increasingly using multiple channels, including internal platforms, to improve their chances of success.