- Hackers create finance-themed Teams to trick users without using phishing links
- Obfuscated team names bypass automated detection while appearing normal to targets
- Fraudulent phone calls attempt to extract login credentials and sensitive information
Attackers are now abusing legitimate Microsoft Teams features to reach users without using traditional phishing links, new research has found.
Experts at CheckPoint found the campaign begins when hackers create new teams with finance-themed or urgent billing names, often embedding obfuscation techniques such as mixed Unicode characters or visually similar symbols.
These tactics allow the malicious team names to bypass automated detection while still appearing normal to users.
How the hijack leads to email access
Once the attackers set up the team, they use the “Invite a Guest” feature to send official-looking Microsoft emails directly to targets, making the invitations appear credible and increases the likelihood of user interaction.
The phishing messages instruct recipients to call a fraudulent support number to resolve supposed subscription or billing issues - and during these calls, attackers attempt to extract login credentials or sensitive information that can be used to access corporate email accounts.
Unlike conventional phishing, the campaign avoids malicious links or malware attachments and relies instead on social engineering to compromise accounts.
The combination of official Microsoft messaging and urgent, finance-related language creates a higher level of trust, which makes standard firewall protections less effective without user vigilance.
Users should treat any unexpected Teams invitations with caution, especially if the team names include payment amounts, invoices, phone numbers, or unusual formatting.
Obfuscated characters, inconsistent spelling, or large-font displays designed to draw attention serve as strong warning signs.
Organizations which use such online collaboration tools widely need to ensure staff receive training to recognize these subtle red flags and report suspicious invitations immediately.
Malware removal procedures and layered email security can provide additional protection, but human attention remains critical in preventing compromise.
However, even with firewalls and security controls in place, attackers continue to adapt tactics that exploit trusted collaboration platforms.
Vigilance, staff awareness, and rapid reporting are essential to prevent this type of social engineering from succeeding.
Check Point says the attack has targeted organizations across multiple industries, including manufacturing, technology, education, and professional services.
Teams users worldwide must maintain heightened awareness to reduce the risk of exposing email accounts or other internal systems.
Analysis indicates the affected organizations were concentrated in the United States, accounting for nearly 68% of incidents.
Europe followed with 15.8%, Asia with 6.4%, and smaller shares appeared in Australia, New Zealand, Canada, and LATAM countries.
Within Latin America, Brazil and Mexico experienced the highest activity, together representing over 75% of regional incidents.
While the attackers do not appear to target specific sectors deliberately, the campaign demonstrates the scale at which trusted collaboration platforms can be exploited.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.