Thousands of Microsoft Teams users are being targeted in a new phishing campaign

A new phishing campaign is abusing trusted collaboration platforms like Microsoft Teams to bypass traditional email security.

Cybersecurity researchers at Check Point have discovered more than 12,000 malicious emails sent to over 6,000 users, most of which use legitimate Microsoft Teams guest invitations to impersonate billing alerts and trick victims into calling fake support lines.

Rather than relying on malicious links or attachments, attackers are exploiting built-in guest invitation options and finance-themed team names to dupe users with fake billing and subscription notifications.

The attacker starts off by creating a new team in Microsoft Teams and assigning it a finance-themed name designed to resemble an urgent billing or subscription notice.

One example given by Check Point researchers read: “Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629. 98 USD). If you did not authorize or complete this m0nthly Payment,plese c0ntact our support team urgently.”

The aim here for attackers is to bypass automated detection by embedding obfuscation techniques in the team name. This includes character substitutions, mixed Unicode characters, visually similar glyphs, and the like.

After creating the team, the attacker uses the Invite a Guest feature in Microsoft Teams, sending the victim an email invitation from a legitimate Microsoft address, with the fake team name displayed prominently in large font.

"At first glance, the message appears to be a genuine Microsoft-generated notification, increasing the likelihood that users trust the content and follow the instructions," the researchers warned.

Recipients are then asked to call a fraudulent support number to resolve the "billing issue".

The fraudulent emails are being used to target a wide range of organizations, researchers noted, with 27% targeting manufacturing, engineering and construction and 1% technology/SaaS.

One-in-eight, meanwhile, went to educational organizations, followed by professional services at 11%, government at 8%, and finance at 7%.

"The distribution likely reflects broad Microsoft Teams adoption across these industries, rather than deliberate targeting," the researchers said. "This suggests the attacker’s primary objective was to exploit a trusted collaboration platform at scale, rather than focus on specific verticals."

Two-thirds of victims were in the US, with 16% in Europe and 6% in Asia.

Microsoft Teams scams are surging

Microsoft Teams, and indeed collaboration platforms and trusted brands, have become a common attack vector for cyber criminals.

This time last year, researchers at Sophos spotted threat actors posing at tech support workers to launch attacks through the platform.

More recently, the Scattered Spider hacking group expanded this technique by impersonating workers to ask IT teams to reset passwords or transfer MFA tokens using both Microsoft teams and Slack.

The hackers even set up fake identities and took part in company teleconferences and remediation and response calls to gather security information.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.