A London city council has warned employees to exercise caution when using Microsoft Teams after hackers attempted to exploit the platform following a significant cyber incident in November.
The attack on Westminster City Council, which originated at Kensington and Chelsea Council, has affected three West London local authorities that share IT infrastructure and serve around half a million residents.
Council officials confirmed that sensitive personal data was copied during the breach, forcing Westminster to delay supplier payments due to compromised finance systems.
The Attack Timeline and Impact
The cyberattack first surfaced at Kensington and Chelsea Council in November, then spread to Westminster City Council and Hammersmith and Fulham Council due to their shared IT services and systems.
Westminster disclosed the breach on December 17, saying that potentially sensitive historical data had been copied and removed from its networks. Council Leader Elizabeth Campbell emphasized transparency, directing officials to inform affected parties “at the earliest possible opportunity.”
The operational fallout has been substantial. Westminster’s finance systems remain inaccessible, preventing the council from processing payments through normal channels and forcing suppliers into an indefinite waiting period.
Internal communications reveal that hackers have continued their activity post-breach, actively attempting to compromise individual staff members through Microsoft Teams by initiating unexpected calls and meeting invitations.
This comes amid news of a critical flaw discovered in Microsoft Teams’ new guest chat feature. Cyber researchers found that the feature potentially allows malicious actors to bypass standard security protections and deliver malware or phishing attacks directly to unsuspecting users.
The National Cyber Security Centre, the UK’s cybersecurity agency, has been brought in to support restoration efforts, though officials cannot provide a definitive timeline for when systems will return to full functionality.
Westminster Council said that while data was copied, it was neither deleted nor lost from its systems. However, the council is still investigating exactly what data was taken and who might be affected. Hammersmith and Fulham stated there is currently no evidence their systems were directly compromised, despite their part in the shared infrastructure.
Security Lessons for IT Leaders Managing Microsoft Teams
The incident highlights a troubling evolution in attack methodology. Rather than simply extracting data and disappearing, these threat actors are leveraging their initial access to launch ongoing social engineering campaigns. By targeting individual staff members through trusted communication platforms like Teams, they aim to expand their foothold within the organization or gather additional sensitive information unavailable during the initial breach.
As a result, IT leaders should immediately review and tighten external access controls within Teams environments. By default, Teams allows users from outside organizations to initiate contact, creating an attack surface many security teams overlook. Configure Teams to require approval for external meeting participants and consider restricting inbound communication to verified domains only. This is particularly critical for organizations handling sensitive data or operating in sectors targeted by sophisticated threat actors.
Most importantly, IT teams should implement comprehensive security awareness training that goes beyond generic phishing education. Staff need specific guidance on identifying suspicious Teams activity, including unexpected meeting invitations from external contacts, unsolicited calls from unknown users, and requests to share screens or access sensitive information during unscheduled calls. Establish clear protocols for verifying the identity of external contacts before engaging, especially when conversations involve sensitive topics or data access.
Deploy monitoring and logging capabilities that capture Teams communication patterns and flag anomalous behavior. This includes tracking external access attempts, monitoring for bulk contact activity across multiple users, and identifying unusual meeting patterns. Integration with security information and event management (SIEM) systems can help correlate Teams activity with other signals, enabling faster detection of coordinated social engineering campaigns.
Building Resilient Collaboration Security
The Westminster cyberattack demonstrates that modern threats don’t end when hackers exit your network; they evolve into sophisticated follow-on campaigns that exploit the very tools organizations rely on for daily operations.
The decision to weaponize Microsoft Teams shows that attackers understand how trusted platforms can bypass traditional security skepticism. When a call or meeting invitation comes through Teams, users often assume a baseline level of legitimacy that doesn’t exist for cold emails or phone calls.
For IT leaders, this incident underscores the urgent need to treat collaboration platforms with the same security rigor applied to email, web gateways, and other traditional attack vectors.
Teams, Slack, Zoom, and similar tools have become critical business infrastructure, which means they’ve also become critical security concerns. Their integration into every aspect of business operations creates both efficiency and vulnerability.
The financial impact of the Westminster attack—with delayed supplier payments and indefinite system restoration timelines—illustrates the business continuity risks that extend far beyond data theft.
Looking ahead, the cybersecurity landscape will increasingly challenge the use of internal communication tools like UC platforms. As attackers grow more sophisticated in exploiting trusted platforms, organizations must shift from perimeter-focused security models to zero-trust architectures that verify every interaction, regardless of platform or apparent source.
