Cybercriminals are abusing Microsoft Entra guest invitations to deliver TOAD phishing messages that appear to come from legitimate Microsoft infrastructure, according to Cybernews.
A new phishing campaign is targeting recipients of Microsoft Entra B2B guest invitations by embedding fake invoice alerts inside legitimate Microsoft-generated messages. The attack uses telephone-oriented attack delivery methods, prompting victims to call a fraudulent “Microsoft Billing Support” number about a non-existent $446 charge.
The campaign was identified by threat researcher Matt Taggart, who reported that attackers are misusing Microsoft Entra’s guest invitation system to bypass traditional email security tools. Entra invitations are often whitelisted and routed through Microsoft’s cloud infrastructure, allowing the messages to appear authentic and avoid detection.
The phishing email informs the recipient that their Microsoft 365 plan has been renewed, provides a fake invoice number and billing amount, and urges them to call a support line. Once the victim initiates the call, scammers follow typical TOAD tactics that can lead to remote access requests, pressure for payment details, or attempts to obtain personal information.
Experts note that the threat actors are using trusted tenant invitation workflows, minimal technical indicators, and urgent billing themes to manipulate recipients. Because the attack relies on human interaction rather than malicious links or attachments, traditional detection controls are far less effective.
Attackers exploit cloud-trusted delivery mechanisms to conduct phone-based phishing schemes. According to the FBI’s 2024 Internet Crime Report, phishing and related social engineering scams accounted for over 298,000 complaints, representing the most frequently reported category of cybercrime. These incidents often bypass traditional security layers because they rely on user interaction rather than malicious files or links.
They originate from legitimate Microsoft infrastructure, making them far less likely to be flagged or blocked by email security tools that rely on domain reputation or sender authentication.
Instead of encouraging the user to click a link, TOAD campaigns push victims to call a phone number where scammers attempt to extract personal or financial information through conversation.
Once a call is initiated, scammers may request remote access, payment card details, or account credentials under the guise of resolving a billing issue or issuing a refund.
They can audit invitation logs for spikes in external requests, unusual message content, or repeated invitations to personal email domains.