A new wave of phishing attacks is exploiting Microsoft Entra’s guest user invitation system, turning a legitimate collaboration tool into a weapon for social engineering and credential theft, Cyber Security News reports.
Dubbed a TOAD (Telephone Oriented Attack Delivery) campaign, the attacks combine cloud-based account management with traditional phone scams, demonstrating a dangerous evolution in hybrid cybercrime tactics.
Security researcher Michael Taggart uncovered the campaign after spotting multiple phishing operations abusing Entra’s guest invitation process. He said malefactors are weaponizing a trusted Microsoft service to bypass email security filters, combining cloud infrastructure abuse with classic phone scams, which makes detection extremely difficult.
The campaign relies on Microsoft’s own infrastructure. Invitations originate from the legitimate invites@microsoft[.]com address, establishing immediate trust with recipients. Attackers register fake tenant domains with names such as Unified Workspace Team, CloudSync, and Advanced Suite Services, mimicking legitimate Microsoft entities.
Once a target receives the invitation, they are presented with a convincing message claiming their Microsoft 365 annual plan requires processing. The email includes fabricated billing details, reference numbers, and customer IDs (typically for amounts around $446.46) and instructs the recipient to call a listed support number. In reality, the line connects directly to attackers, who then harvest credentials and attempt account takeovers.
The campaign’s sophistication lies in its exploitation of a core Entra feature: the guest invitation Message field accepts long-form text, enabling threat actors to embed extensive phishing content without triggering traditional security alerts. When coupled with Microsoft’s own email infrastructure, these messages often slip past spam and phishing filters undetected.
Taggart identified several malicious tenant domains involved in the campaign, including x44xfqf.onmicrosoft[.]com, woodedlif.onmicrosoft[.]com, and xeyi1ba.onmicrosoft[.]com, providing the attackers with a persistent network to sustain operations.
Organizations are urged to act quickly. Recommended mitigation steps include:
- Searching email logs for the invites@microsoft[.]com sender address.
- Looking for subject lines containing phrases like “invited you to access applications within their organization.”
- Checking for known attacker tenant names.
- Blocking associated phone numbers.
- Educating users to verify Microsoft communications via official support channels rather than responding to invitation-based requests.
Javvad Malik, Lead CISO Advisor at KnowBe4, says: “By using genuine Microsoft Entra guest invitations, the attackers don’t need a fake email, they inherit Microsoft’s branding, language and workflows. From a human point of view, that’s powerful. The exploitation of Entra is part of a broader trend of using legitimate services to bypass traditional email security detections. Something that has been observed with Appsheet, Quickbooks, and Google.”
Malik says most people have been told to “check the sender” and “look for the padlock”, but not many have been taught that a perfectly legitimate notification can still be the start of a social engineering call. “The takeaway isn’t to panic about Entra, but to look at how to minimise the risk. This can be done by utilising Integrated Cloud Email Security products that leverage AI to detect advanced phishing threats and prevent employees from interacting with malicious hyperlinks and attachments.”
Awareness and training for employees is also important and for people to treat “call us” instructions with the same suspicion as “click here”, Malik adds. “It’s also important to give staff a single, well‑known way of contacting their IT or security department. If we design our processes so that verifying a request is easier than just going along with it, these attacks become much harder to land.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.