A newly identified phishing campaign is exploiting Microsoft Entra tenant invitation functionality to orchestrate TOAD (Telephone-Oriented Attack Delivery) attacks against unsuspecting users.
Security researchers have uncovered how threat actors are weaponizing legitimate Microsoft Entra features to bypass email filtering and establish initial contact with victims through a deceptive social engineering vector.
The campaign operates by exploiting a sophisticated vulnerability in Microsoft Entra’s guest user invitation system.
Attackers are leveraging the message field embedded in guest invitations to craft convincing phishing lures that instruct recipients to contact a telephone number regarding a fictitious bill or account issue.
This approach represents a novel evolution in TOAD attack methodology, combining legitimate Microsoft infrastructure with traditional phone-based social engineering tactics to achieve a multi-stage compromise sequence.
Technical Details
The key advantage of this attack vector lies in the legitimate nature of the originating email address. Guest invitations are dispatched from [email protected] a genuine Microsoft infrastructure address that organizations typically do not block at the email gateway level.
This allows threat actors to bypass conventional email security filters that might otherwise quarantine traditional phishing messages. By masquerading as legitimate Microsoft notifications, the invitations achieve superior inbox placement and evade content-based threat detection systems.
The attackers exploit an often-overlooked feature of Entra’s guest user invitation mechanism: the message field supports arbitrary length text content.
This design choice, intended to provide administrative flexibility when onboarding guest users, becomes a vector for phishing content.
Threat actors have discovered they can insert elaborate social engineering narratives directly into this field, transforming otherwise benign Microsoft notifications into effective attack delivery mechanisms.
Once a victim contacts the provided phone number, attackers transition to established TOAD tactics and techniques of procedure.
Threat actors assume the role of customer support representatives or billing specialists, typically creating artificial urgency around fraudulent charges, account verification failures, or impending service cancellations.
Victims are then directed to malicious websites where they may be prompted to download files, enter credentials, or execute code effectively compromising their systems and providing attackers with initial access to organizational networks.
This attack sequence demonstrates a comprehensive understanding of human psychology and organizational security architectures.
By routing the attack through voice channels, threat actors circumvent technical security controls optimized for email and web-based threats.
The combination of apparently legitimate Microsoft infrastructure with convincing social engineering creates a high-probability compromise scenario.
Comparison to Previous Campaigns
This technique aligns with historical threat actor approaches that have successfully abused notification systems from trusted services.
Previous campaigns have similarly exploited message fields in alerts from legitimate cloud providers, recovery systems, and authentication platforms to embed phishing content.
Microsoft Entra guest invitations represent merely the latest addition to this expanding arsenal of compromised legitimate infrastructure.
Security teams should implement immediate detection controls to monitor for unusual patterns in Entra guest user invitations, particularly those containing contact numbers or urgent language suggesting financial liability.
Email filtering policies should flag messages containing phone numbers in the context of billing-related claims, regardless of sender reputation.
Additionally, user awareness training emphasizing the risks of unsolicited calls regarding account issues remains essential defensive posture.
The emergence of this campaign underscores a critical security principle: legitimate infrastructure provides attackers with credibility and bypasses defensive mechanisms designed to filter untrusted sources.
Organizations must maintain vigilant monitoring across all communication channels and recognize that trusted platforms can be weaponized by determined threat actors.
IoCs
| IndicatorType | Description |
|---|---|
| invites@microsoft[.]com | Email – Sender address for Entra invites |
| invited you to access applications within their organization | String – Email subject substring to search for Guest User invitations |
| CloudSync | String – Attacker tenant name |
| Advanced Suite Services | String – Attacker tenant name |
| TenantHub | String – Attacker tenant name |
| Unified Workspace Team | String – Attacker tenant name |
| Advanced Suite Services | String – Attacker tenant name |
| x44xfqf.onmicrosoft[.]com | Domain – Attacker tenant domain |
| woodedlif.onmicrosoft[.]com | Domain – Attacker tenant domain |
| xeyi1ba.onmicrosoft[.]com | Domain – Attacker tenant domain |
| x44xfgf.onmicrosoft[.]com | Domain – Attacker tenant domain |
| 18052948531 | Telephone number – Listed number in observed lures |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.