A wide-scale phishing operation is weaponizing Microsoft Teams to circumvent traditional email security defenses, according to new research from Check Point.
The campaign has already delivered more than 12,000 malicious emails targeting over 6,000 users across multiple industries. Unlike conventional phishing attempts that rely on malicious links or suspicious attachments, these attackers are exploiting legitimate Microsoft Teams features, specifically the platform’s guest invitation system, to impersonate billing alerts and deceive victims into contacting fraudulent support lines.
The sophistication of this operation is significant. By abusing built-in collaboration tools rather than external threats, attackers are effectively turning trusted business infrastructure against itself.
The attack methodology signals a broader shift in how cybercriminals approach corporate environments in an era where collaboration platforms have become essential business tools.
Exploiting Email Trust Through Teams
The attack unfolds through a carefully orchestrated sequence that leverages Microsoft Teams’ native functionality.
Attackers begin by creating a new team within the platform, assigning it a finance-themed name crafted to trigger urgency and concern.
Check Point researchers documented one example that read: “Subscription Auto-Pay Notice (Invoice ID: 2025_614632PPOT_SAG Amount at least 629.98 USD). If you did not authorize or complete this monthly payment, please contact our support team urgently.”
The sophistication lies in the obfuscation techniques embedded within these team names. Attackers deploy character substitutions (replacing “o” with “0” and “e” with “3”) alongside mixed Unicode characters and visually similar glyphs designed to evade automated detection systems. These subtle manipulations allow malicious content to slip past security filters that might otherwise flag suspicious patterns yet still appear normal to human users.
Once the team is established, attackers exploit the “Invite a Guest” feature, which triggers official-looking Microsoft emails sent directly to targets’ inboxes. This mechanism allows the attack to reach users without traditional phishing techniques like malware-loaded attachments or links. The invitation emails originate from legitimate Microsoft servers, carrying authentic Microsoft branding and headers that would pass most email authentication checks.
The final stage directs victims to call a fraudulent support number to resolve the fabricated billing issue. During these calls, attackers attempt to extract login credentials, multi-factor authentication codes, or other sensitive information that can be used to access corporate email accounts and internal systems.
The combination of official Microsoft messaging, urgent finance-related language, and the absence of links creates a heightened level of trust, making standard firewall protections less effective and leaving user vigilance as the main line of defense.
The Growing Threat Landscape: Teams as an Attack Vector
Microsoft Teams and similar collaboration platforms have increasingly become preferred targets for cybercriminals seeking to exploit trusted communication channels.
Earlier this month, Westminster City Council advised staff to exercise heightened vigilance when using Microsoft Teams following a major cyberattack. Employees were specifically instructed to avoid accepting calls from unknown contacts or unexpected meeting invitations, a clear indication that Teams-based threats have reached a threshold requiring organizational policy changes.
This Westminster incident, while not following the exact methodology described in the Check Point research, underscores a troubling trend: the normalization of collaboration platforms as legitimate attack surfaces.
The Scattered Spider hacking group, active since 2022, has used similarly audacious tactics within this domain. These sophisticated operators have impersonated legitimate employees to manipulate IT teams into resetting passwords or transferring multi-factor authentication tokens through both Microsoft Teams and Slack. Their operations represent the apex of social engineering sophistication.
This represents a fundamental shift in attacker methodology. Rather than attempting to breach perimeters through technical exploits or convincing users to interact with malware, these campaigns target the human element directly through communications to extract information, bypassing much of the security inherent in both UC systems and email.
This shift can be attributed to Microsoft tightening controls on suspicious links and attachments that hackers previously used to inject malware into user environments.
Adapting Security Postures for Collaboration-Platform Threats
The Check Point research found that victims were concentrated in the United States, accounting for nearly 68% of incidents. Europe followed with approximately 16%, Asia with 6%, and smaller shares in Australia, New Zealand, Canada, and several Latin American countries.
Educational organizations represented one in eight victims, followed by professional services at 11%, government at 8%, finance at 7%, and manufacturing as a key target.
Organizations must recognize that even strengthening malware security or firewalls is not an antidote to this current wave of attacks.
Security awareness training must evolve to include specific guidance on the risks of sharing information with impersonators.
Users should treat any unexpected Microsoft invitations with caution, especially if team names include payment amounts, invoices, phone numbers, or unusual formatting.
As UC platforms continue their expansion into core business operations, they will increasingly serve as tools for legitimate business collaboration and avenues for attacker coordination.
