By Priya
Publication Date: 2025-11-17 10:30:00
A new phishing and reverse phishing campaign is exploiting Microsoft Entra tenant invitation emails to deliver Telephone-Oriented Attack Delivery (TOAD) lures to unsuspecting users.
Researchers have observed attackers using the legitimate Microsoft domain and sender address invites@microsoft[.]com to send fake invitations that reference a supposed billing issue, prompting targets to call a listed phone number.
Abuse of Legitimate Microsoft Infrastructure
Microsoft Entra, the company’s identity and access management platform, allows organizations to invite external users as “Guest Users” to collaborate across tenants.
Each invitation email includes a customizable “Message” field that the inviter can fill out to provide context. Attackers are now abusing this message box to insert phishing lures and convince victims to engage.
In this campaign, the attackers craft messages that claim the recipient has an outstanding bill or needs to confirm account…
