A newly identified phishing campaign is exploiting Microsoft Entra tenant invitation functionality to orchestrate TOAD (Telephone-Oriented Attack Delivery) attacks against unsuspecting users. Commenting on this is Ensar Seker, CISO at SOCRadar:
“This campaign is a prime example of how attackers increasingly repurpose legitimate cloud-native features for malicious purposes. By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit trust users place in official Microsoft-branded messages. Because the Entra invitations are often whitelisted and routed through Microsoft’s infrastructure, they have higher deliverability and lower suspicion thresholds.
TOAD phishing attacks differ from traditional credential harvesting because they rely on inducing the user to take offline action usually by calling a phone number. In this case, embedding the phone number within a trusted Microsoft invitation gives the scam an air of legitimacy. Once the victim initiates the call, attackers may request remote access, payment details, or PII under the guise of “fixing” an account issue or refunding a charge.
What makes this campaign particularly dangerous is the convergence of:
- Trusted delivery mechanisms (Microsoft Entra infrastructure)
- Minimal technical indicators (no malicious attachment or link to analyze)
- Social pressure (urgent account issues prompting a phone call)
Traditional email filtering, sandboxing, and EDR tools are less effective here because the initial “payload” is human interaction, not code execution.
Organizations should monitor and audit their Microsoft Entra guest invitation logs for anomalous behaviors such as spikes in external invitations, use of unusual messaging language, or repeated invitations to consumer domains. Security awareness training should explicitly cover TOAD threats and the misuse of trusted platforms to initiate phone-based social engineering.
This is part of a broader trend in adversary-in-the-middle techniques that blend cloud abuse, social engineering, and trust manipulation. It underlines the need for zero trust policies even within SaaS environments, continuous behavioral monitoring, and adaptive email filtering models that account for intent, not just indicators.”
This is a pretty interesting, and not in a good way, attack as it is difficult to defend against. This means that defences will have to be devised quickly or this could easily spiral out of control.
Related
This entry was posted on November 17, 2025 at 4:24 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Entra Invitations Hijacked in Surge of TOAD Phishing Attacks
A newly identified phishing campaign is exploiting Microsoft Entra tenant invitation functionality to orchestrate TOAD (Telephone-Oriented Attack Delivery) attacks against unsuspecting users. Commenting on this is Ensar Seker, CISO at SOCRadar:
“This campaign is a prime example of how attackers increasingly repurpose legitimate cloud-native features for malicious purposes. By abusing Microsoft Entra’s guest invitation system, the threat actors bypass traditional email filters and exploit trust users place in official Microsoft-branded messages. Because the Entra invitations are often whitelisted and routed through Microsoft’s infrastructure, they have higher deliverability and lower suspicion thresholds.
TOAD phishing attacks differ from traditional credential harvesting because they rely on inducing the user to take offline action usually by calling a phone number. In this case, embedding the phone number within a trusted Microsoft invitation gives the scam an air of legitimacy. Once the victim initiates the call, attackers may request remote access, payment details, or PII under the guise of “fixing” an account issue or refunding a charge.
What makes this campaign particularly dangerous is the convergence of:
Traditional email filtering, sandboxing, and EDR tools are less effective here because the initial “payload” is human interaction, not code execution.
Organizations should monitor and audit their Microsoft Entra guest invitation logs for anomalous behaviors such as spikes in external invitations, use of unusual messaging language, or repeated invitations to consumer domains. Security awareness training should explicitly cover TOAD threats and the misuse of trusted platforms to initiate phone-based social engineering.
This is part of a broader trend in adversary-in-the-middle techniques that blend cloud abuse, social engineering, and trust manipulation. It underlines the need for zero trust policies even within SaaS environments, continuous behavioral monitoring, and adaptive email filtering models that account for intent, not just indicators.”
This is a pretty interesting, and not in a good way, attack as it is difficult to defend against. This means that defences will have to be devised quickly or this could easily spiral out of control.
Share this:
Like this:
Related
This entry was posted on November 17, 2025 at 4:24 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.