A new phishing campaign is leveraging legitimate Microsoft Entra guest user invitations to trick recipients into calling attackers who pose as Microsoft support agents.
This attack uses a critical security gap in how Microsoft Entra communicates with external users, turning a legitimate collaboration feature into a delivery mechanism for a sophisticated social engineering scam. The campaign represents an evolution of TOAD (Telephone Oriented Attack Delivery) tactics, combining cloud credential systems with traditional phone-based fraud.
Bypassing Security Filters with Legitimate Emails
Security analyst Michael Taggart identified this novel attack vector after discovering multiple campaigns exploiting the guest invitation system. The campaign uses invitations sent from the legitimate Microsoft address invites@microsoft[.]com to bypass email security filters and build trust with targets.
Attackers register fake organizational tenants with deceptive names like "Unified Workspace Team" and "CloudSync" to impersonate legitimate Microsoft entities. The invitation email contains a convincing message claiming the recipient's Microsoft 365 annual plan requires renewal processing, complete with fabricated transaction details, reference numbers, and a large billing amount (approximately $446.46).
The message then instructs users to contact a phone number listed as "Microsoft Billing Support," which actually connects them directly to the attackers. Once the victim calls, the attackers proceed with credential harvesting and account takeover attempts.
Evasion Techniques
The infection mechanism exploits a fundamental weakness in Entra’s design. The Message field in guest user invitations accepts arbitrarily long text, allowing attackers to embed extensive phishing content without triggering traditional security alerts. Since the invitation originates from Microsoft’s official, trusted infrastructure, email security systems rarely flag these communications as malicious.
To sustain the campaign, the attackers register multiple fake tenant domains like x44xfqf.onmicrosoft[.]com. Organizations should implement immediate detection measures by searching email logs for the sender address invites@microsoft[.]com, specific subject line keywords, and known attacker tenant names. Network administrators should also educate users about verifying Microsoft communications through official support channels rather than responding to suspicious invitation-based requests.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
