Thousands of Microsoft Teams users are being targeted in a new phishing campaign
Microsoft Teams users should be on the alert, according to researchers at Check Point
A new phishing campaign is abusing trusted collaboration platforms like Microsoft Teams to bypass traditional email security.
Cybersecurity researchers at Check Point have discovered more than 12,000 malicious emails sent to over 6,000 users, most of which use legitimate Microsoft Teams guest invitations to impersonate billing alerts and trick victims into calling fake support lines.
Rather than relying on malicious links or attachments, attackers are exploiting built-in guest invitation options and finance-themed team names to dupe users with fake billing and subscription notifications.
The attacker starts off by creating a new team in Microsoft Teams and assigning it a finance-themed name designed to resemble an urgent billing or subscription notice.
One example given by Check Point researchers read: “Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629. 98 USD). If you did not authorize or complete this m0nthly Payment,plese c0ntact our support team urgently.”
The aim here for attackers is to bypass automated detection by embedding obfuscation techniques in the team name. This includes character substitutions, mixed Unicode characters, visually similar glyphs, and the like.
After creating the team, the attacker uses the Invite a Guest feature in Microsoft Teams, sending the victim an email invitation from a legitimate Microsoft address, with the fake team name displayed prominently in large font.
"At first glance, the message appears to be a genuine Microsoft-generated notification, increasing the likelihood that users trust the content and follow the instructions," the researchers warned.
Recipients are then asked to call a fraudulent support number to resolve the "billing issue".
The fraudulent emails are being used to target a wide range of organizations, researchers noted, with 27% targeting manufacturing, engineering and construction and 1% technology/SaaS.
One-in-eight, meanwhile, went to educational organizations, followed by professional services at 11%, government at 8%, and finance at 7%.
"The distribution likely reflects broad Microsoft Teams adoption across these industries, rather than deliberate targeting," the researchers said. "This suggests the attacker’s primary objective was to exploit a trusted collaboration platform at scale, rather than focus on specific verticals."
Two-thirds of victims were in the US, with 16% in Europe and 6% in Asia.
Microsoft Teams scams are surging
Microsoft Teams, and indeed collaboration platforms and trusted brands, have become a common attack vector for cyber criminals.
This time last year, researchers at Sophos spotted threat actors posing at tech support workers to launch attacks through the platform.
More recently, the Scattered Spider hacking group expanded this technique by impersonating workers to ask IT teams to reset passwords or transfer MFA tokens using both Microsoft teams and Slack.
The hackers even set up fake identities and took part in company teleconferences and remediation and response calls to gather security information.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
