Overview

This report describes a phishing campaign in which attackers abuse Microsoft Teams functionality to distribute phishing content that appears to originate from legitimate Microsoft services. The attack leverages guest invitations and phishing-themed team names to impersonate billing and subscription notifications, encouraging victims to contact a fraudulent support phone number.

Campaign scale
  • Total phishing messages: 12,866
  • Daily average: 990
  • Affected customers: 6,135
Method of attack

The attacker begins by creating a new team in Microsoft Teams and assigning it a malicious, finance-themed name designed to resemble an urgent billing or subscription notice. An example of the naming pattern observed includes content such as:

“Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629. 98 USD). If you did not authorize or complete this m0nthly Payment,plese c0ntact our support team urgently”

To evade automated detection, the attacker embeds obfuscation techniques in the team name, including character substitutions, mixed Unicode characters, and visually similar glyphs. This allows the phishing text to bypass security controls while remaining readable to users.

After creating the team, the attacker uses the Invite a Guest feature in Microsoft Teams. The targeted recipient then receives an email invitation from a legitimate Microsoft address, with the malicious team name displayed prominently in large font. At first glance, the message appears to be a genuine Microsoft-generated notification, increasing the likelihood that users trust the content and follow the instructions.

Rather than directing users to a malicious link, the campaign relies on phone-based social engineering, instructing recipients to call a fraudulent support number to resolve the alleged billing issue.

Email examples:

 

Impacted industries

Sector analysis shows that the campaign affected organizations across a wide range of industries, led by manufacturing/engineering/construction (27.4%), technology/SaaS / it (18.6%), and education (14.9%), followed by professional services (11.2%), government (8.1%), finance (7.3%), and smaller shares across other sectors.

The distribution likely reflects broad Microsoft Teams adoption across these industries, rather than deliberate targeting. This suggests the attacker’s primary objective was to exploit a trusted collaboration platform at scale, rather than focus on specific verticals.

 

Regional distribution

Affected organizations were primarily based in the United States (67.9%), followed by Europe (15.8%) and Asia (6.4%). Additional impact was observed in Australia and New Zealand (3.9%), Canada (3.1%), LATAM (2.4%), the Middle East (0.4%), and Africa (0.1%).

Within LATAM, the activity was concentrated in:

  • Brazil — 44%
  • Mexico — 31%
  • Argentina — 11%
  • Colombia — 8%
  • Chile — 4%
  • Peru — 2%
Key takeaway

This campaign highlights how attackers can exploit collaboration platforms and trusted invitation workflows to deliver phishing content without traditional malicious links or spoofed senders. It reinforces the importance of user awareness around unexpected Microsoft Teams invitations, especially when team names include urgent billing language, phone numbers, or unusual formatting.

Recognized as a Leader and Outperformer in the 2025 GigaOm Radar for Anti-Phishing, Check Point Harmony Email & Collaboration provides the advanced, layered defence needed to secure organizations against phishing attacks — even when they hide in plain sight.

You may also like