A phishing campaign has been observed abusing Microsoft Entra guest-invitation emails to deliver Telephone-Oriented Attack Delivery (TOAD) lures.
Independent researcher Matt Taggart reported last Friday that attackers manipulated the invitation “Message” field to insert fictitious billing notices that pressured recipients into calling a fraudulent support line.
The malicious invitations originated from the legitimate sender address invites@microsoft[.]com, which made the messages appear authentic and reduced the likelihood of being blocked by email filters.
The emails claimed that the recipient’s Microsoft 365 subscription had been renewed for USD 446.46, urging them to call a listed “billing support” number. Once victims called, attackers used standard TOAD techniques, including impersonation and social-engineering pressure, to attempt to gain remote access or extract financial information.
“This campaign is a prime example of how attackers increasingly repurpose legitimate cloud-native features for malicious purposes,” said Ensar Seker, Chief Information Security Officer (CISO) at SOCRadar. “By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit trust users place in official Microsoft-branded messages.”
Identifying and Responding to the Threat
Taggart linked the attacks to several fraudulent Microsoft Entra tenants using names such as “CloudSync,” “Advanced Suite Services,” “TenantHub,” and “Unified Workspace Team.”
Additionally, subject lines often included the standard phrasing “invited you to access applications within their organization” to help the messages blend in with routine business communications.
Unlike traditional phishing, TOAD attacks rely on users calling a phone number rather than clicking a link. This approach bypasses web-filtering controls and shifts the interaction to a voice-based social-engineering channel. From here,attackers attempt to walk victims through installing remote-administration tools or authorizing fraudulent transactions.
To protect against similar threats, security teams are advised to:
- Review mail logs for suspicious invitation patterns
- Look for unusual tenant names
- Identify unexpected guest-user requests
- Reduce exposure by restricting external collaboration features in Microsoft Entra
- Train employees to treat unsolicited billing notices with caution
The campaign demonstrates how cybercriminals continue to weaponize trusted cloud-service workflows, reinforcing the importance of monitoring legitimate channels for misuse as enterprise collaboration ecosystems expand.
