Hackers are exploiting a specific feature within Microsoft Entra, formerly Azure Active Directory, by leveraging legitimate tenant invitations to launch sophisticated Telephone Oriented Attack Delivery (TOAD) campaigns. These attacks trick recipients into calling fraudulent Microsoft support numbers, aiming to harvest credentials and compromise organizational accounts. This innovative phishing tactic combines cloud infrastructure abuse with traditional social engineering, presenting a significant challenge to conventional security measures.
Security analyst Michael Taggart has identified multiple phishing campaigns utilizing this vector. The attackers are effectively bypassing email filters by sending invitations from the legitimate invites@microsoft[.]com address. They create fake Microsoft Entra tenants, masquerading as official entities such as “Unified Workspace Team” or “CloudSync,” to lend an air of authenticity to their fraudulent communications. Once a target receives the invitation, they are presented with a fabricated alert about their Microsoft 365 annual plan requiring renewal, complete with convincing but false transaction details.
Detection Evasion Through Legitimate Microsoft Entra Infrastructure
The core of this attack’s effectiveness lies in its clever exploitation of a design characteristic within Microsoft Entra’s guest user invitation system. The “Message” field within these invitations accepts an unusually large amount of arbitrary text. Attackers are embedding extensive phishing content directly into this field, an area that security software often overlooks because the communication originates from a trusted Microsoft domain.
Attackers register multiple fake tenant domains under the .onmicrosoft.com domain, such as x44xfqf.onmicrosoft[.]com and woodedlif.onmicrosoft[.]com. This allows them to maintain persistent infrastructure for ongoing campaign deployment. Since the invitation email itself originates from Microsoft’s official servers, it is unlikely to be flagged by standard email security gateways designed to detect malicious senders or suspicious attachments.
The social engineering aspect of the attack is highly effective. The fake renewal notice includes fabricated transaction details, such as reference numbers, customer IDs, and a specific billing amount of approximately $446.46. This information is designed to appear legitimate and urgent to the recipient. Following these fabricated details, the message directs the user to call a provided phone number, falsely labeled as “Microsoft Billing Support,” which, in reality, connects them directly to the malicious actors.
Once connected via phone, the attackers engage in credential harvesting. They may attempt to guide users through a process that leads to them divulging their Microsoft 365 login credentials. In some instances, this could also escalate to attempts at account takeover, giving attackers unauthorized access to sensitive organizational data and resources. This method of Telephone Oriented Attack Delivery (TOAD) represents a significant evolution in cyberattack methodologies, blending the perceived legitimacy of cloud services with the directness of phone-based scams.
Organizations that use Microsoft Entra should implement immediate detection measures as recommended by security researchers. This includes searching email logs for specific indicators. Key search parameters should involve the sender address invites@microsoft[.]com, subject line phrases such as “invited you to access applications within their organization,” and known malicious attacker tenant names previously identified. Monitoring for these specific patterns can help uncover the initial stages of such phishing campaigns.
Furthermore, network administrators can take proactive steps to mitigate this threat. Blocking the phone numbers associated with these identified campaigns can prevent users from reaching the attackers. Crucially, ongoing user education is vital. Employees need to be trained to verify any requests for sensitive information or account access by cross-referencing with official Microsoft support channels instead of responding directly to prompts within unsolicited invitation emails.
The ongoing exploitation of Microsoft Entra’s guest invitation feature highlights a persistent challenge in securing cloud-based collaboration tools. As attackers adapt their tactics to leverage legitimate infrastructure, organizations must remain vigilant and continuously update their security protocols and employee training programs. Future efforts will likely focus on refining anomaly detection within cloud authentication systems and enhancing user awareness training to counter these increasingly sophisticated social engineering attacks.