- Hackers create finance-themed teams to trick users without using phishing links
- Blurred team names bypass auto-detection while appearing normal for targets
- Fraudulent phone calls attempt to extract login credentials and sensitive information
Attackers are now abusing legitimate Microsoft Teams features to reach users without using traditional phishing links, new research has found.
Experts at CheckPoint found that the campaign begins when hackers create new teams with finance-themed or urgent billing names, often embedding obfuscation techniques such as mixed Unicode characters or visually similar symbols.
These tactics allow the malicious team names to bypass automatic registration while still appearing normal to users.
How the Hijacking Leads to Email Access
Once the team is created, the attackers use the “Invite a Guest” feature to send official Microsoft emails directly to targets, making the invitations appear credible and increasing the likelihood of user interaction.
The phishing messages instruct recipients to call a fraudulent support number to resolve suspected subscription or billing issues — and during these calls, attackers attempt to extract login credentials or sensitive information that can be used to access company email accounts.
Unlike conventional phishing, the campaign avoids malicious links or malware attachments and instead relies on social engineering to compromise accounts.
The combination of official Microsoft announcements and urgent, finance-related language creates a higher level of trust that makes standard firewall protection less effective without user vigilance.
Users should treat any unexpected Teams invitations with caution, especially if the team names include payment amounts, invoices, phone numbers, or unusual formatting.
Obscure characters, inconsistent spelling, or large fonts designed to attract attention serve as strong warning signs.
Organizations that use such online collaboration tools extensively need to ensure staff receive training to recognize these subtle red flags and immediately report suspicious invitations.
Malware removal procedures and layered email security can provide additional protection, but human attention is still essential to prevent compromise.
But even with firewalls and security controls in place, attackers continue to adapt tactics that exploit trusted collaboration platforms.
Vigilance, staff awareness and prompt reporting are essential to prevent this type of social engineering from succeeding.
Check Point says the attack targets organizations across multiple industries, including manufacturing, technology, education and professional services.
Teams users worldwide must maintain heightened awareness to reduce the risk of exposing email accounts or other internal systems.
Analysis shows that the affected organizations were concentrated in the United States, which accounts for nearly 68% of the incidents.
Europe followed with 15.8%, Asia with 6.4%, and smaller shares appeared in Australia, New Zealand, Canada and LATAM countries.
Within Latin America, Brazil and Mexico experienced the highest activity, together representing over 75% of regional events.
While the attackers do not appear to be deliberately targeting specific sectors, the campaign demonstrates the scale at which trusted collaboration platforms can be exploited.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
