Microsoft Teams Direct Routing Security: Preventing Toll Fraud and Ensuring Compliance

You've deployed Microsoft Teams Direct Routing to enable Teams calling on your company's voice infrastructure. It works great—users can make PSTN calls directly from Teams with better integration than traditional phone systems.

But as your Teams calling volume grows, you start wondering: "Are we actually secure? What's to prevent bad actors from exploiting our SIP trunks and running up massive toll fraud charges? How do we ensure we're compliant with regulations that require call recording and authentication?"

These are legitimate concerns. Teams Direct Routing introduces security risks that traditional phone systems don't have—specifically around SIP trunk exploitation and the transition from an internal Microsoft infrastructure to an open telecom infrastructure. Understanding these risks and implementing proper controls isn't optional; it's essential.

‍

Understanding Teams Direct Routing Unique Security Risks

Teams Direct Routing connects Microsoft Teams to your organization's voice carrier through Session Border Controllers (SBCs). This architecture is powerful, but it creates security surfaces that traditional phone systems don't expose.

Risk 1: The SBC as Attack Vector

Your SBC is now the interface between the open internet (where bad actors live) and your internal Teams infrastructure (where your users are). A compromised or misconfigured SBC becomes a jumping-off point for attackers.

Common SBC exploitation vectors:

Weak authentication on the SBC itself (poor admin credentials)
Unpatched SBC software with known vulnerabilities
Default configurations that enable risky features
SBC that accepts SIP traffic from untrusted sources

An attacker who compromises your SBC can:

Make fraudulent calls using your organization's phone numbers and carrier account
Intercept and modify call traffic
Inject malicious SIP messages
Extract metadata about your organization's call patterns

Risk 2: SIP Trunk Exploitation for Toll Fraud

SIP trunks are the pathway between your SBC and your carrier. If an attacker gains access to your SIP trunk credentials or can spoof a trusted source, they can initiate calls that your carrier bills to your account.

Toll fraud isn't hypothetical. Criminals actively scan the internet for exposed SIP trunks. When they find one, they immediately begin making international calls (which have high per-minute charges) to premium numbers they control. A single compromised SIP trunk can generate $50,000-$500,000 in fraudulent charges before it's detected.

Common attack vectors:

Brute-forced SIP trunk credentials
SIP credentials exposed in configurations or logs
Compromised device with SIP trunk credentials stored locally
Man-in-the-middle attack capturing unencrypted SIP traffic

Risk 3: Routing Policy Misconfiguration

Teams Direct Routing routing policies determine which SIP trunks handle which calls. Misconfigured policies can lead to:

International calls routing through unintended trunks
Calls to premium numbers not being blocked
Calls to specific destinations routing through carriers with weaker fraud detection

An attacker who can influence routing policies can force expensive calls through specific carriers or to specific destinations.

Risk 4: Compliance Exposure in Regulated Industries

If your organization operates in regulated industries (financial services, healthcare, legal), call recording and authentication requirements exist:

MiFID II and Dodd-Frank (financial services): Require call recording, caller authentication, and immutable audit trails
HIPAA (healthcare): Requires HIPAA-compliant calling with encryption
PCI DSS (payment processing): Require audit trails for calls involving payment data
GDPR (EU regulations): Require call data to be processed according to EU data residency rules

Teams Direct Routing that isn't properly configured can leave your organization out of compliance with these requirements.

‍

Prevention Strategy 1: SBC Hardening and Access Control

The foundation of Teams Direct Routing security is hardening your SBC.

‍Admin Credential Security

Change all default credentials on your SBC to strong, unique passwords stored in a password manager
Implement multi-factor authentication for SBC admin access
Limit SBC admin access to specific IP addresses (your network only, not the internet)
Regularly audit who has SBC admin access and revoke unused accounts

Firmware and Patch Management

Enable automatic security updates on your SBC where available
Subscribe to vendor security bulletins and patch promptly
Test patches in a lab environment before deploying to production
Maintain a change log of all SBC firmware versions and patches

‍Network Segmentation

Your SBC should be isolated on its own network segment with firewall rules
Only allow SIP, RTP, and necessary management traffic
Block all unnecessary ports
Use network-level rate limiting to detect abnormal call volumes

SIP Protocol Hardening

Disable unnecessary SIP methods (only enable INVITE, BYE, REGISTER, ACK if required)
Enable SIP authentication on inbound connections
Configure challenge-response authentication for SIP messages
Log all rejected SIP messages for forensic analysis

‍

Prevention Strategy 2: SIP Credential and Encryption

Your SIP trunk credentials are like the keys to your carrier account. Protecting them is critical.

SIP Credential Management

Store SIP credentials in encrypted format, not plaintext
Use strong, random SIP credentials (minimum 20 characters, mixed case, numbers, symbols)
Rotate SIP credentials regularly (quarterly at minimum)
Never embed SIP credentials in code, configuration files that get checked into version control, or logs
Use separate SIP credentials for different trunks or customers if you manage multiple

‍SRTP Encryption

SRTP (Secure Real-time Transport Protocol) encrypts the actual voice data in transit. Without it, voice conversations can be intercepted and recorded by anyone with network access.

Configure SRTP as mandatory (not optional) for all Teams Direct Routing calls
Use strong cipher suites (AES-256 preferred)
Verify SRTP is negotiated in SIP headers before allowing calls to connect

TLS Encryption for SIP Signaling

SIP signaling contains call metadata and authentication information. TLS (Transport Layer Security) encrypts this in transit.

Use TLS for all SIP connections (not unencrypted TCP or UDP)
Deploy valid TLS certificates on your SBC (not self-signed)
Verify certificate validity and chain of trust
Enable mutual TLS authentication (both sides verify each other)

‍

Prevention Strategy 3: Toll Fraud Detection and Prevention

Toll fraud is the fastest-moving Teams Direct Routing threat. Detection must be real-time because fraudsters move quickly.

Destination Blocklist and Whitelist

Maintain a blocklist of known high-risk destinations (international premium numbers, special services)
Implement a whitelist of approved destination countries for your organization
Block calls to known fraud destinations by default
Review and update blocklists monthly as new fraud destinations emerge

Call Volume and Rate Anomaly Detection

Establish baselines for normal call volumes by hour, day, and geography
Alert when call volumes deviate significantly from baseline (e.g., 500% spike in international calls at 3 AM)
Implement automatic rate limiting: if call volume exceeds threshold, stop accepting new calls pending investigation

‍Geographic Anomaly Detection

Track where calls originate and where they're destined
Alert when a user is making calls to unusual geographies compared to their history
Flag calls to geographies associated with fraud rings

Call Duration Anomalies

Fraudsters often make many short calls quickly (testing routes, testing carrier response)
Flag patterns of repeated short calls to the same or similar destinations
Real business calls have more variation in duration

‍Real-time Fraud Detection Integration

Modern carrier networks and orchestration platforms like Peeredge integrate real-time fraud detection:

Carrier fraud detection catches fraud in real-time and blocks fraudulent calls
Orchestration platforms can analyze patterns across all calls and detect fraud before it causes losses
Automated response: block the caller, notify security team, restrict the SIP trunk

‍

Prevention Strategy 4: Caller ID Authentication with STIR/SHAKEN

STIR/SHAKEN is an industry standard for authenticating caller ID to prevent spoofing.

The Problem STIR/SHAKEN Solves

Bad actors can spoof caller ID—making calls appear to come from different numbers than they actually do. This is used for:

Toll fraud (call appears to come from internal phone, actually from external fraudster)
Social engineering attacks (caller appears to be from your own IT department)
Scam calls impersonating legitimate organizations

How STIR/SHAKEN Works

Your SBC digitally signs SIP messages with a certificate proving you own the caller ID number
Receiving carriers verify the signature before accepting the call
Calls with invalid or missing signatures are treated as suspicious
Calls with spoofed numbers are either blocked or marked as unverified

Implementing STIR/SHAKEN for Teams Direct Routing

Obtain STIR/SHAKEN certificates from your carrier or a provider
Configure your SBC to sign outbound SIP messages with your certificate
Configure your SBC to verify incoming calls
Enable STIR/SHAKEN on Teams Direct Routing trunks
Monitor verification failures—they might indicate incoming fraud attempts

‍

Prevention Strategy 5: Call Recording and Compliance

For regulated industries, call recording isn't optional—it's mandatory. Teams Direct Routing call recording must meet compliance requirements.

Call Recording Requirements by Industry

Financial Services (MiFID II, Dodd-Frank): Dual recording (Teams side and voice infrastructure side); immutable audit trail; speaker identification
Healthcare (HIPAA): Encryption, access controls, audit logging
Legal: Immutable recording, timestamp accuracy, speaker identification
Telecommunications: Compliance with CALEA (Communications Assistance for Law Enforcement)

‍Implementing Compliant Call Recording

Use Teams built-in call recording for the Teams side
Use SBC or carrier-level recording for the voice infrastructure side
Implement dual recording for critical regulated calls (ensures no gaps)
Store recordings encrypted with long-term retention
Implement access controls so only authorized personnel can access recordings
Maintain immutable audit logs of who accessed what recording when
Use speaker identification to tag who said what in the call

Compliance-Ready Orchestration

Peeredge integrates compliance recording and audit logging:

Automatic call recording across all carriers simultaneously
Immutable audit trails for regulatory audit
Geo-fencing to ensure calls meet data residency requirements
Compliance dashboards showing recording completeness and quality

‍

Prevention Strategy 6: Monitoring and Incident Response

Even with all preventive controls, you need visibility into what's happening on your SIP trunks.

What to Monitor

Failed authentication attempts (early warning of attack)
Unusual call volumes or destinations
SBC performance metrics (if the SBC is under attack, latency increases)
SIP error rates (high error rates indicate attack or misconfiguration)
Codec negotiation failures (might indicate man-in-the-middle attack)

Incident Response Playbook

When you detect potential fraud:

Immediately isolate the affected SIP trunk (stop accepting calls, don't terminate in-progress calls)
Notify your carrier (they can check for fraudulent calls on their side and help calculate exposure)
Investigate the SBC (check logs for unauthorized access, configuration changes, compromised credentials)
Review call records (identify all fraudulent calls, calculate financial impact)
Notify affected users (if credentials were compromised, force password resets)
Rotate SIP credentials (if breach was through credential compromise)
Fix the root cause (patch SBC vulnerability, harden access controls, improve monitoring)

‍

The Difference Teams Direct Routing Security Makes

Consider two scenarios:

Scenario A: Basic Teams Direct Routing

Standard SBC configuration, default admin credentials eventually changed, SIP credentials stored in a shared password manager
Fraudster discovers SIP trunk through internet scanning, gains access with brute force, makes $200,000 in fraudulent calls before someone notices unusual billing

‍Scenario B: Secured Teams Direct Routing (Peeredge)

SBC hardened, SRTP enforced, TLS required, real-time fraud detection enabled, STIR/SHAKEN implemented
Same fraudster attempts access; SBC rejects unauthenticated requests
Even if they gain temporary access, first call attempt triggers fraud detection and SIP trunk is automatically blocked
Total fraud loss: $0 (call blocked within milliseconds)

That's the difference proper security architecture makes.

‍

Key Takeaways

Teams Direct Routing security isn't a single control—it's a defense-in-depth approach:

Harden your SBC (foundation)
Protect SIP credentials (prevent unauthorized access)
Encrypt traffic (SRTP and TLS)
Detect fraud in real-time (stop it before it costs money)
Authenticate caller ID (STIR/SHAKEN)
Record and audit (compliance and forensics)
Monitor and respond (catch what slips through)

Implementing all seven controls requires coordinated effort, but the alternative—exposed Teams Direct Routing generating six-figure fraud losses—is far worse.

Organizations in regulated industries need compliance-ready infrastructure. Organizations in any industry need fraud prevention that works at the speed of fraudsters.

Ready to assess your Teams Direct Routing security? Schedule a 30-minute security review with our team. We'll evaluate your current configuration against these best practices and show you where the highest-risk gaps are.