New TOAD phishing campaign targets Microsoft Entra guest invitees with fake invoices

Published: 18 November 2025
Last updated: 19 November 2025
Microsoft, Azure
Image by Cybernews.

Cybercriminals are targeting recipients of Microsoft Entra B2B guest invites, taking advantage of Entra’s cloud-based infrastructure to bypass email filters as part of a new Telephone-Oriented Attack Delivery (TOAD) phishing campaign.

Key takeaways:
  • Scammers weaponize Entra ID B2B guest invitations to slip past email defenses with fake Microsoft invoice alerts.
  • Attack combines cloud-based trust manipulation with telephone scams, urging victims to call fake "Microsoft Billing Support" about non-existent $446 charges.
  • Messages arrive from actual "[email protected]" address, making traditional security tools ineffective against this social engineering technique.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The reverse phishing scam was uncovered by threat researcher Matt Taggart and “a few friends” over the weekend.

ADVERTISEMENT

The new attack exploits Microsoft Entra – the tech company’s cloud-based suite of identity and network access products that secures access for employees, customers, and various workloads, for example, Microsoft 365.

Businesses using the Entra ID system (formally known as Azure Active Directory) can send a “guest invitation” via email to a known recipient, allowing that recipient to create a guest account and engage in secure communications with the user.

Taggart says the criminals are abusing the Microsoft Entra tenant invitations to send the malicious email, and then hoping “to trick recipients into calling a telephone number, referencing a fictitious bill,” which, for those unfamiliar, also categorizes it as a TOAD attack.

Actual threat intelligence! A few friends and I identified a new reverse phishing campaign leveraging Entra Guest User invitations. This campaign was newly discovered and corroborated. I recommend reviewing organization email for these invitations. taggart-tech.com/ent...

[image or embed]

undefined Taggart (@taggart-tech.com) November 14, 2025 at 1:12 PM

Ensar Seker, CISO at threat intelligence firm SOCRadar says the Entra TOAD campaign is a prime example of how attackers are increasingly repurposing legitimate cloud-native features for malicious purposes.

"By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit the trust users place in official Microsoft-branded messages," Seker explains.

What’s more, Seker points out that because Entra invitations are “often whitelisted and routed through Microsoft’s infrastructure, they have higher deliverability and lower suspicion thresholds.”

ADVERTISEMENT

With human interaction as the initial "payload" (as opposed to code execution), traditional email filtering, sandboxing, and EDR tools become way less effective, the CISO says.

Breaking down the TOAD attack

In a phishing attack, a bad actor typically targets their victim with a fraudulent email, hoping to trick them into clicking on a malicious link and downloading malware or redirecting them to a fake site, ultimately allowing the bad actor unauthorized access to their device to steal sensitive information.

A TOAD attack adds an extra step to the phish.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Instead of clicking a malicious link, the email will attempt to trick the victim into calling a phone number provided in the email. On the other end, a scammer lies in wait, hoping to pressure the victim into a similar malicious scenario, resulting in the handover of personal or financial information.

Taggart says, once the recipient calls, “From the phone number, normal TOAD TTPs are in play." The typical attack lifecycle begins with the deceptive phishing email, includes threat actor caller impersonations, and often culminates in the installation of hacker-controlled software.

“Hello, Your Microsoft 365 annual plan has been renewed and processed,” the email in this case states to the recipient. The message then continues with a long-winded explanation of how the email was sent to the victim securely through the Microsoft 365 tenant.

Microsoft Entra phish email
Image by Taggart-tech.com

The email then provides information meant to trigger the victim to act. This includes the invoice purchase date, invoice number, and customer number, listing the amount billed – $446.46 – which is more than enough to spur anyone to call the fake "Microsoft Billing Support" phone number provided (available 24/7 for immediate assistance) and dispute the charge.

ADVERTISEMENT

Seker says the Entra TOAD attack blend cloud abuse, social engineering, and trust manipulation, making the campaign particularly dangerous.

Calling it “part of a broader trend in adversary-in-the-middle techniques,” Seker breaks down the attack into three parts:

  • Trusted delivery mechanisms (Microsoft Entra infrastructure)
  • Minimal technical indicators (no malicious attachment or link to analyze)
  • Social pressure (urgent account issues prompting a phone call)

TOAD phishing attacks differ from traditional credential harvesting because they rely on inducing the user to take offline action usually by calling a phone number.

In this case, embedding the phone number within a trusted Microsoft invitation gives the scam an air of legitimacy. Once the victim initiates the call, attackers may request remote access, payment details, or PII under the guise of “fixing” an account issue or refunding a charge.

What can organizations do to protect themselves?

Providing several screenshots, Taggart further notes that “the use of Entra Guest user invitations seems solely to take advantage of the Message field in the Guest User invitation,” as shown below.

Taggart warns that the invites "come from ‘invites@microsoft[.]com,’ which is a legitimate address and likely won't be blocked by email filters" – a known tactic used in similar campaigns in which the scammers will ”use message fields in notifications from trusted services to embed a phishing lure.”

Microsoft Entra TOAD phish header
Image by Taggart-tech.com

Meantime, Seker stresses that the Microsoft Entra campaign “underlines the need for zero trust policies even within SaaS environments, continuous behavioral monitoring, and adaptive email filtering models that account for intent, not just indicators."

ADVERTISEMENT

To avoid becoming a victim, Seker says organizations should immediately begin monitoring and auditing their Microsoft Entra guest invitation logs for anomalous behaviors.

This can include looking for “spikes in external invitations, use of unusual messaging language, or repeated invitations to consumer domains.”

Seker says organizations should also be “explicitly” covering TOAD threats as part of their company’s security awareness training, ensuring employees are familiar with the ways hackers can “misuse trusted platforms to initiate phone-based social engineering.”

According to Microsoft, millions of organizations worldwide, including about 95% of Fortune 500 companies, currently use Entra ID. In April, Microsoft said Entra's comprehensive identity-as-a-service (IDaaS) solution holds more than a billion user identities.

Microsoft’s Azure Active Directory was renamed Entra ID in July 2023.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked