Microsoft Teams billing invites involved in phishing campaign

Attackers are abusing legitimate Teams invitations to deliver billing-themed scams that push victims into phone calls.

What happened

According to Techradar, researchers reported a phishing campaign in which scammers used Microsoft Teams guest invitations to distribute fake billing notices. The messages were sent through legitimate Microsoft notification emails, allowing them to bypass many email security filters. Researchers said 12,866 emails were delivered, reaching about 6,135 users, with the invitations designed to look like urgent subscription or payment alerts.

Going deeper

Instead of embedding malicious links or attachments, the attackers created Teams groups with names that mimicked billing notices, such as subscription auto pay alerts. When users were invited as guests, Microsoft automatically generated a real notification email from an official address. The team name itself contained the scam message, often including a dollar amount and a phone number. Researchers observed the use of character substitutions and symbols to evade detection while remaining readable to recipients. The campaign was highly active, sending close to one thousand messages per day. Education, technology, and manufacturing-related organizations were among the most affected, suggesting attackers are prioritizing sectors with large distributed workforces and frequent external collaboration.

What was said

Researchers said the campaign works because the messages appear routine rather than overtly malicious. One analyst noted that “at first glance, the message appears to be a genuine Microsoft-generated notification, increasing the likelihood that users trust the content and follow the instructions.” The absence of links or attachments allows the emails to pass security checks while steering recipients toward calling a listed number. Once on the phone, attackers pose as billing or support staff and use urgency to extract credentials or payment details. Analysts warned that unexpected Teams billing notices containing phone numbers should be treated with caution, even when they appear to come from Microsoft.

In the know

Paubox has previously reported on a security risk tied to a new Microsoft Teams functionality, warning that expanded external chat and guest invitation features can be abused for phishing and social engineering. Analysis noted that when Teams allows conversations to be initiated using only an email address, attackers gain an easy way to impersonate trusted contacts and push scams directly into collaboration workflows. The billing-themed Teams invites seen in this campaign indicate that risk, showing how legitimate Microsoft-generated notifications can be repurposed to deliver fraud without relying on links or malware.

The big picture

Attackers are leaning more heavily on tools and services that already exist inside corporate environments. According to the Paubox report, The top 3 healthcare email attacks in 2025 this has moved away from malware toward an abuse of "inherited trust." Instead of dropping obvious viruses, attackers have begun "abusing trusted messaging and cloud infrastructure... to deliver messages that appeared legitimate by default." Because these messages arrive through platforms and channels that recipients already trust, this form of "identity abuse becomes harder to detect and easier to scale," allowing it to hide in plain sight and slip past traditional defenses that are only tuned to catch unknown files or clearly malicious software.

FAQs

Why are Teams invitations difficult to block?

They are generated and delivered by Microsoft infrastructure, which means they come from trusted domains and appear legitimate to users and security systems.

Why do attackers prefer phone-based follow-ups?

Live calls allow scammers to pressure victims, answer questions, and adapt their script, increasing the chance of obtaining sensitive information.

What signs indicate a fake Teams billing notice?

Unexpected invitations, urgent payment language, unfamiliar dollar amounts, and the presence of a phone number in the team name are common indicators.

Which industries are most affected?

Researchers observed higher impact in education, technology, and manufacturing, likely due to frequent external collaboration and large user bases.

How can organizations reduce risk?

They can limit external guest invitations, monitor unusual team creation patterns, educate staff about phone-based scams, and encourage reporting of suspicious invites.