A new phishing campaign has emerged that weaponizes Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support.
The attack leverages a critical security gap in how Microsoft Entra communicates with external users, turning a legitimate collaboration feature into a delivery mechanism for sophisticated social engineering attacks.
This campaign represents an evolution in TOAD (Telephone Oriented Attack Delivery) tactics, combining cloud-based credential systems with traditional phone-based scams to compromise organizational security.
Michael Taggart, a security analyst and researcher, identified this novel attack vector after discovering multiple phishing campaigns exploiting the guest invitation system.
The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets.
Attackers register fake organizational tenants with names like “Unified Workspace Team,” “CloudSync,” and “Advanced Suite Services” to impersonate legitimate Microsoft entities.
The attack chain demonstrates sophisticated coordination between cloud infrastructure abuse and social engineering.
Once recipients receive the invitation email, they encounter a convincing message claiming their Microsoft 365 annual plan requires renewal processing, complete with fabricated transaction details including reference numbers, customer IDs, and billing amounts of approximately $446.46.
The message instructs users to contact a phone number listed as Microsoft Billing Support, which actually connects them directly to attackers who proceed with credential harvesting and account takeover attempts.
Detection Evasion Through Legitimate Infrastructure
The infection mechanism exploits a fundamental weakness in Entra’s design: the Message field in guest user invitations accepts arbitrarily long text, allowing attackers to embed extensive phishing content without triggering traditional security alerts.
.webp "Hackers Leverages Microsoft Entra Tenant Invitations to Launch TOAD Attacks 3")
Since the invitation originates from Microsoft’s legitimate infrastructure, email security systems rarely flag these communications as malicious.
The attackers register multiple fake tenant domains, including x44xfqf.onmicrosoft[.]com, woodedlif.onmicrosoft[.]com, and xeyi1ba.onmicrosoft[.]com, creating a network of persistent infrastructure for continuous campaign deployment.
Organizations should implement immediate detection measures by searching email logs for indicators, including the sender address invites@microsoft[.]com, subject line keywords like “invited you to access applications within their organization,” and known attacker tenant names.
Network administrators can block the phone numbers associated with these campaigns while educating users about verifying Microsoft communications through official support channels rather than responding to invitation-based requests.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
