A sophisticated phishing campaign is currently exploiting Microsoft Teams, impacting thousands of users wiht increasingly deceptive tactics. The campaign, identified by Check Point Software, bypasses traditional security measures by leveraging legitimate Teams functions-specifically the “Invite a guest” feature-to distribute malicious content and ultimately solicit calls to fraudulent support lines. This latest threat underscores the growing trend of attackers targeting trusted interaction platforms and highlights the need for heightened vigilance among Teams users and administrators [[1]].
A widespread phishing campaign targeting Microsoft Teams users is underway, impacting thousands with increasingly sophisticated tactics. Check Point Software has identified the campaign, which leverages legitimate platform features to distribute malicious content disguised as authentic services, ultimately tricking victims into contacting fraudulent support numbers.
The attackers are creating Teams groups themed around financial matters, designed to mimic urgent billing or subscription notices. These phishing attempts employ visual obfuscation techniques – substituting characters and glyphs that appear similar – to evade security systems while remaining readable to users. This allows the malicious messages to slip past typical detection methods.
Once a team is established, cybercriminals invite users via Teams’ “Invite a guest” function. Recipients receive an email from a legitimate Microsoft address, bolstering the credibility of the phishing attempt. This deceptive tactic increases the likelihood that users will trust the message and follow the provided instructions.
Notably, this campaign doesn’t rely on malicious links or spoofed senders. Instead, attackers are employing social engineering over the phone, prompting victims to call a fraudulent support number to resolve a fabricated billing issue communicated through the phishing emails. Microsoft Teams has become a central hub for workplace communication, making it a prime target for attackers seeking to exploit user trust.
Industries Heavily Targeted
The scale of this phishing wave is significant, with 12,866 messages sent to 6,135 users, averaging 990 phishing emails per day. The manufacturing, engineering, and construction sectors have been most affected, accounting for 27.4% of impacted organizations. Technology and education follow closely behind at 18.6%. Professional services (11.2%), government (8.1%), and finance (7.3%) have also been targeted.
Geographically, the United States accounts for the majority of incidents, with 67.9% of affected companies. Europe represents 15.8%, and Asia 6.4%. Australia and New Zealand (both at 3.9%) and Canada (3.1%) have seen lower incidence rates. In Latin America, which accounts for 2.4% of the phishing emails detected, Brazil (44%), Mexico (31%), and Argentina (11%) are the most impacted countries.
The sectorial analysis shows that the phishing campaign has impacted companies in various fields
Check Point Research warns that this type of phishing demonstrates how attackers can exploit trusted invitation flows and widely used platforms to spread fraud without needing malicious links or falsified emails. Users should therefore exercise extreme caution with unexpected invitations in Microsoft Teams, as they may be phishing attempts disguised as legitimate notifications.
Advanced Defense Solutions Recommended
To protect against these threats, Check Point Software recommends implementing advanced, layered defense solutions capable of identifying and blocking phishing emails even when they are well-hidden. This campaign underscores the importance of robust security controls when relying on widely adopted digital platforms.
“Attackers are leveraging legitimate Microsoft Teams functions and obfuscated team names to bypass security and deceive users with fake billing notifications. This demonstrates how effective social engineering can be when combined with trusted platforms,” says Rafael López, a security engineer specializing in email protection at Check Point Software.
