Attackers Continue To Target Trusted Collaboration Platforms: 12,000+ Emails Target Teams Users
Check Point, Thursday, January 22nd, 2026
This report describes a phishing campaign in which attackers abuse Microsoft Teams functionality to distribute phishing content that appears to originate from legitimate Microsoft services. The attack leverages guest invitations and phishing-themed team names to impersonate billing and subscription notifications, encouraging victims to contact a fraudulent support phone number.
The attacker begins by creating a new team in Microsoft Teams and assigning it a malicious, finance-themed name designed to resemble an urgent billing or subscription notice. An example of the naming pattern observed includes content such as:
'Subscription Auto-Pay Notice (Ivoice ID: 2025_614632PPOT_SAG Amount 629. 98 USD). If you did not authorize or complete this m0nthly Payment,plese c0ntact our support team urgently'
To evade automated detection, the attacker embeds obfuscation techniques in the team name, including character substitutions, mixed Unicode characters, and visually similar glyphs. This allows the phishing text to bypass security controls while remaining readable to users.