Microsoft Entra guest invites harnessed in new phishing campaign

Microsoft Entra B2B tenant invitations have been exploited by threat actors to facilitate a new Telephone-Oriented Attack Delivery phishing campaign, according to Cybernews.

Attackers using the legitimate 'invites@microsoft[.]com' domain distributed illicit emails disclosing the renewal and processing of the recipient's annual Microsoft 365 plan and explaining delivery through the Microsoft 365 tenant, while including the invoice and a bogus phone number for "Microsoft Billing Support," an analysis from cybersecurity threat researcher Matt Taggart showed.

Contacting the provided number to dispute the transaction then triggers the TOAD attack, which commences with another phishing email before proceeding with spoofed phone calls and attacker-controlled software installation.

Microsoft Entra Guest user invitations have been harnessed to exploit the invitations' Message field, said Taggart, who also noted that utilization of an official email address circumvented detection by email filters. Organizations and individuals have been cautioned about the increasing prevalence of such tactics in phishing intrusions.