A sophisticated phishing campaign has been identified in which threat actors are abusing legitimate Microsoft Teams functionality to distribute malicious content that appears to originate from trusted Microsoft services.
By leveraging the platform’s “Invite a Guest” feature and crafting deceptive team names, attackers are bypassing traditional email security controls to deliver fraudulent billing notifications directly to victims’ inboxes.
The attack methodology relies on exploiting the trust users place in automated notifications from collaboration platforms. Rather than spoofing email addresses or injecting malicious URLs, the attackers create new teams within Microsoft Teams, assigning them names designed to mimic urgent financial alerts. These names often reference subscription renewals or auto-pay notices to induce panic.
A specific example observed in the wild includes team names such as: “Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629. 98 USD). If you did not authorize or complete this m0nthly Payment,plese c0ntact our support team urgently.”
Once the team is created, the attacker sends invitations to external targets using the native “Invite a Guest” feature. The recipient receives an email directly from a legitimate Microsoft address (e.g., [email protected]).
Because the email infrastructure is genuine, it easily passes SPF, DKIM, and DMARC checks. However, the body of the email displays the malicious team name containing the fraudulent billing message and a support phone number in a large, prominent font.
This campaign is distinct in its use of phone-based social engineering (vishing). Instead of directing users to a credential-harvesting site, the text instructs victims to call a fraudulent support line to resolve the alleged charge.
To evade automated content filters, attackers employ obfuscation techniques within the team name, utilizing character substitutions, mixed Unicode characters, and visually similar glyphs.
The scale of this operation is significant, with telemetry indicating a broad, indiscriminate approach rather than targeted espionage. Security researchers recorded a total of 12,866 phishing messages distributed during the campaign’s peak, averaging 990 messages daily. These attacks reached approximately 6,135 distinct customers.
The distribution of targets suggests the attackers aimed to exploit widespread Microsoft Teams adoption. The manufacturing, engineering, and construction sectors bore the brunt of the activity, accounting for 27.4% of affected organizations.
This was followed by the Technology/SaaS/IT sector at 18.6% and the Education sector at 14.9%. Other affected verticals included professional services, government, and finance.
Geographic Distribution of Targets
The campaign demonstrated a global reach, though the primary focus remained on North American targets. Organizations in the United States comprised 67.9% of the victim pool. European entities accounted for 15.8%, followed by Asia at 6.4%.
A specific regional breakdown of the Latin American (LATAM) impact shows a concentration in Brazil and Mexico:
| Country | Percentage of LATAM Targets |
|---|---|
| Brazil | 44% |
| Mexico | 31% |
| Argentina | 11% |
| Colombia | 8% |
| Chile | 4% |
| Peru | 2% |
This campaign highlights a critical gap in collaboration security: the reliance on content inspection within invitations generated by trusted platforms. Since the email delivery mechanism is legitimate, organizations cannot rely solely on email authentication protocols to block these threats.
Security teams are advised to educate users on scrutinizing unexpected Teams invitations, particularly those containing urgent financial language, phone numbers, or unusual character formatting.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
