Threat actors are using Microsoft Teams' legitimate features to spread malicious content that looks to be from reliable Microsoft services in a sophisticated phishing campaign. Attackers are getting around conventional email security measures to send fraudulent billing notifications straight to victims' inboxes by using the platform's "Invite a Guest" feature and creating misleading team names. The attack strategy is based on taking advantage of users' faith in automated alerts from collaboration platforms.

Instead of using malicious URLs or email address spoofing, the attackers create new teams in Microsoft Teams and give them names that are meant to resemble urgent financial alerts. To create fear, these names frequently allude to auto-pay alerts or subscription renewals.

Team names like "Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629.98 USD)" are one instance seen in the wild. Please contact our support team right away if you failed to authorize or complete this monthly payment. After the team is formed, the attacker uses the built-in "Invite a Guest" function to invite external targets.

An email is sent directly to the recipient from a valid Microsoft address (such as noreply@email.teams.microsoft.com). Microsoft Teams Phishing Invitation (Source: Checkpoint) The email infrastructure passes SPF, DKIM, and DMARC checks with ease because it is authentic. But in the email's body, a support phone number and the malicious team name with the fraudulent billing message are displayed in a large, conspicuous font.

The use of phone-based social engineering (vishing) makes this campaign unique. The text advises victims to contact a fraudulent support line in order to resolve the alleged charge, rather than sending users to a website that harvests credentials. Learn more about computer hardware, operating systems, VPNs, antivirus software, malware, hacking, and cracking.

Web browsers for mathematics Attackers use obfuscation techniques in the team name, such as character substitutions, mixed Unicode characters, and visually similar glyphs, to get around automated content filters. This operation's scope is noteworthy, and telemetry suggests a wide-ranging, indiscriminate strategy rather than focused espionage. During the height of the campaign, 12,866 phishing messages were distributed, with an average of 990 messages per day, according to security researchers. Approximately 6,135 different customers were impacted by these attacks.

The targets' distribution indicates that the attackers wanted to take advantage of Microsoft Teams' widespread use. 27.4% of the impacted organizations were in the manufacturing, engineering, and construction sectors, which took the brunt of the activity. The Technology/SaaS/IT sector (18.6%) and the Education sector (14.9%) came next.

The government, finance, and professional services verticals were also impacted. Targets' Geographic Distribution Although the campaign's main focus remained on North American targets, it showed a global reach. 67.9% of the victims were American organizations. 15.8% of the entities were from Europe, and 6.4% were from Asia.

The impact of Latin America (LATAM) is concentrated in Brazil and Mexico, according to a specific regional breakdown: LATAM's percentage by country Objectives Brazil 44% of Mexico 31% Argentina 11%. Colombia 8% of Chile: 4% Peru: 2% This campaign draws attention to a crucial weakness in collaboration security: the use of content inspection in invitations produced by reliable platforms. Organizations cannot prevent these threats by relying only on email authentication protocols because the email delivery mechanism is legitimate.

It is recommended that security teams instruct users on how to examine unexpected Invitations to teams, especially those with phone numbers, urgent financial language, or odd character formatting., LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.