The Check Point Software company has detected a massive phishing email campaign that is affecting thousands of users of the Microsoft Teams communications platform. These phishing emails take advantage of legitimate platform features to distribute malicious content that appears to come from authentic services, tricking victims into calling a fraudulent support number. This is a new variant of phishing emails that demonstrates a high degree of sophistication and planning.
The campaign is especially striking due to the way in which the phishing emails are designed. Cybercriminals start by creating teams in Microsoft Teams with finance-related names, designed to look like urgent billing or subscription notices. These phishing emails include obfuscation techniques, such as character substitutions and visually similar glyphs (graphic symbols that represent ideas, sounds, or concepts), which allow the message to go unnoticed by security systems but remain understandable to users.
Once the team is created, cybercriminals send invitations through the “Invite a Guest” feature in Microsoft Teams. Recipients receive an email from a legitimate Microsoft address, which reinforces the credibility of these phishing emails. At first glance, the message can be confused with a real notification from the company, increasing the likelihood that users will trust the content and follow the instructions indicated in the phishing emails.
The most relevant thing about this phishing email campaign is that it does not depend on malicious links or fake senders. Instead, attackers resort to social engineering over the phone, urging victims to call a fraudulent support number to resolve a supposed billing issue communicated through phishing emails.
Main industries affected
The scope of this wave of phishing emails is considerable: 12,866 messages have been sent, affecting 6,135 users, with a daily average of 990 phishing emails. The sectoral analysis shows that the campaign has impacted companies in different areas, mainly manufacturing, engineering and construction (27.4%), followed by technology and education (18.6%). There have also been phishing emails directed at professional services organizations (11.2%), Government (8.1%) and finance (7.3%).
Geographically, the United States concentrates the majority of incidents related to these phishing emails, with 67.9% of companies affected. Europe represents 15.8% and Asia 6.4%, while Australia and New Zealand (both with 3.9%) and Canada (3.1%) register a lower incidence. In LATAM, where 2.4% of phishing emails are detected, Brazil (44%), Mexico (31%) and Argentina (11%) are the most impacted countries.
The sector analysis shows that the phishing email campaign has impacted companies in different areas
Check Point Research warns that these types of phishing emails demonstrate how attackers can leverage trusted invitation flows and widely used platforms to spread fraud campaigns without the need for malicious links or spoofed emails. Therefore, users should be extremely cautious when faced with unexpected invitations in Microsoft Teams, as they may be phishing emails designed to look like legitimate notifications.
Advanced defense solutions
To protect businesses against these threats, Check Point Software recommends advanced, layered defense solutions that can identify and block phishing emails even when they are hiding in plain sight. This campaign confirms, once again, that trust in widely adopted digital platforms can be exploited through phishing emails if adequate security controls are not applied.
“Attackers are using legitimate Microsoft Teams features and obfuscated team names to evade security and trick users through phishing emails with fake billing notifications. This shows that social engineering combined with trusted platforms can be very effective,” says Rafael López, security engineer specializing in email protection at Check Point Software.
