Cybercriminals are exploiting Microsoft Teams notifications to push callback phishing scams, tricking users into calling fake support lines.
These attacks use legitimate-looking invites from the official Teams sender address, no-reply@teams.mail.microsoft, which often slips past email filters and user caution.
Recent alerts from Trustwave’s SpiderLabs highlight how threat actors create group invites with urgent scam lures like “Fake Invoice – Urgent Payment Required,” “Auto-Renewal Notice – Action Needed,” or “PayPal Unauthorized Charge – Call Now.”
Victims join the group, see the malicious message, and dial the provided numbers to “resolve” fake issues, leading to vishing attacks in which scammers steal credentials or payment information.
This campaign targets Microsoft 365 users, leveraging Teams’ trusted infrastructure. Notifications arrive via email with subject lines mimicking real alerts, such as “You’ve been added to a team.”
The group name embeds the phishing bait, and the description pressures quick action: “If this charge wasn’t yours, call support immediately to cancel.”
Because the email originates from Microsoft’s mail domain (teams.mail.microsoft), spam filters rarely flag it DKIM and SPF checks pass as valid.
Once engaged, attackers use social engineering during the call, posing as billing support to harvest sensitive data.
Technically, attackers abuse Teams’ invitation system without needing admin access. They register free Microsoft accounts, create scam-named teams, and send invites en masse.
The no-reply@teams.mail.microsoft sender uses Microsoft’s SES (Simple Email Service) infrastructure, ensuring high deliverability.
Email headers show legitimate paths: Received headers trace to Microsoft’s IP ranges (e.g., 40.97.0.0/16), fooling reputation-based filters like Mimecast or Proofpoint.
No malware is delivered it’s pure callback phishing, or “quishing-vishing hybrid.”
Victims who call the numbers encounter live operators who request OTPs, credit card details, or remote access.
This low-tech method scales easily, with no need for exploits. SpiderLabs observed spikes in November 2025, which they linked to broader smishing trends.
Security teams should block these scam numbers and monitor Teams invites train users to verify via official channels, not links or calls.
| Scam Phone Number | Country Code | Reported Activity |
|---|---|---|
| +1-983-220-2463 | US | Fake invoice support |
| +1-810-221-5391 | US | Auto-renewal scam |
| +1-805-331-8539 | US | PayPal claim fraud |
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…