Listen to this Post
In a rising wave of cybercrime, attackers are exploiting Microsoft Entra’s legitimate tenant invitation system to execute a sophisticated phishing scheme. Unlike conventional email attacks that rely on malicious links or attachments, this campaign employs Telephone-Oriented Attack Delivery (TOAD) tactics, tricking victims into calling fraudulent support numbers. By masquerading as official Microsoft invitations, these emails deceive users into exposing sensitive information or granting remote access to their systems. This new method demonstrates how cybercriminals are creatively abusing trusted cloud infrastructure to bypass traditional defenses.
Rising Threat: Abuse of Microsoft Entra Infrastructure
Microsoft Entra, a platform for identity and access management, enables organizations to invite external users as “Guest Users” for cross-tenant collaboration. Each invitation includes a customizable message, designed to provide context to the recipient. In this latest attack, threat actors exploit this feature to embed phishing lures. Emails claim billing issues or account verification requirements, appearing entirely legitimate because they are sent from invites@microsoft[.]com, Microsoft’s real domain. Subject lines such as “invited you to access applications within their organization” mimic routine collaboration requests, lulling users into compliance.
TOAD Tactics: Social Engineering Over Malware
Unlike conventional phishing, this campaign does not rely on malicious URLs. Instead, recipients are instructed to call a listed phone number, 18052948531, tied to a fraudulent support center. On these calls, attackers impersonate Microsoft or payment support staff, guiding victims to install remote administration tools or authorize fake payments. These Telephone-Oriented Attack Delivery techniques have been documented by security firms like Proofpoint and exploit the victim’s trust in perceived authority figures rather than technological vulnerabilities.
Malicious Tenants and Domains
Security researchers have identified several attacker-controlled Microsoft Entra tenants involved in this campaign, including “CloudSync,” “Advanced Suite Services,” “TenantHub,” and “Unified Workspace Team.” Associated domains, such as x44xfqf.onmicrosoft[.]com and woodedlif.onmicrosoft[.]com, are leveraged to send seemingly legitimate invitations. Because these emails originate from Microsoft’s trusted environment, they often bypass standard email filters, increasing the likelihood of user interaction.
Defensive Measures for Organizations
Organizations can mitigate risk by reviewing mail logs for invitations from invites@microsoft[.]com linked to the aforementioned tenant names or domains. Security teams should flag emails with subject lines containing “invited you to access applications within their organization” as potentially malicious. Additional preventative steps include limiting external collaboration invitations in Microsoft Entra, disabling automatic guest invites, and educating employees about phone-based phishing techniques. Awareness of TOAD-style attacks is critical, as these tactics exploit social engineering rather than malware.
Indicators of Compromise (IoCs)
Indicator Type Description
invites@microsoft[.]com Sender address Used in Entra invitation phishing
invited you to access applications within their organization Email subject substring Monitored for suspicious guest invites
CloudSync Tenant Name Attacker-controlled Entra tenant
Advanced Suite Services Tenant Name Attacker-controlled Entra tenant
TenantHub Tenant Name Attacker-controlled Entra tenant
Unified Workspace Team Tenant Name Attacker-controlled Entra tenant
What Undercode Say: Analyzing the TOAD Exploit
This campaign illustrates a critical evolution in phishing strategies, where attackers leverage legitimate corporate tools to conduct highly targeted social engineering attacks. Unlike link-based phishing, TOAD campaigns exploit human psychology—trust in authority and urgency. By using Microsoft’s own infrastructure, threat actors circumvent traditional email security mechanisms that rely on domain reputation or malicious content detection.
The use of Entra’s customizable message field is particularly insidious. It enables attackers to craft contextually convincing narratives, such as unpaid bills or account verification requirements. Combined with the authentic appearance of sender information, the email can easily bypass user suspicion. Security teams are therefore challenged to implement behavior-based detection mechanisms and educate users to critically evaluate phone-based requests.
Moreover, the creation of attacker-controlled tenants and onmicrosoft[.]com domains shows a sophisticated level of operational planning. These tenants are not random; they are carefully named to appear legitimate, increasing the chance of user engagement. Defenders must correlate incoming invitations with known IoCs while monitoring for unusual patterns of remote administration tool installation requests.
From a strategic perspective, the TOAD attack demonstrates a pivot from mass-targeted phishing to high-effort, high-reward social engineering. The attack’s reliance on phone interaction increases the likelihood of personalized manipulation. It also underlines the necessity of layered defense: endpoint monitoring, employee training, and robust incident response procedures.
Organizations should consider deploying AI-driven anomaly detection on collaboration platforms, limiting the exposure of guest invitation features, and simulating TOAD-style attacks internally to strengthen resilience. The psychological component—fear of financial liability or account compromise—is a key vector here, making user awareness campaigns as critical as technological defenses.
The campaign also serves as a warning about the broader implications for cloud security. Trusted services, once considered safe from phishing exploitation, are now being weaponized. Enterprises must balance usability and convenience with security protocols that assume attackers can compromise even familiar, legitimate systems.
Fact Checker Results
✅ Emails originate from Microsoft’s legitimate invites@microsoft[.]com infrastructure.
✅ Attackers exploit Microsoft Entra tenant invitations for social engineering.
❌ This is not a malware-based phishing campaign; it relies on phone-based deception.
Prediction
📊 The evolution of TOAD attacks signals a rise in hybrid phishing tactics combining cloud trust exploitation and real-time social engineering. Organizations will increasingly face threats that bypass traditional email filters, emphasizing the importance of employee education, anomaly detection, and restricted collaboration settings. Cybercriminals may also expand these tactics to other cloud platforms, making identity management systems the next high-value target for deception campaigns.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
