The TOAD phishing campaign has emerged as a serious threat targeting users of Microsoft Entra. Cybercriminals send guest-invite emails that appear legitimate but actually carry fake invoices and instructions to call malicious numbers. This tactic combines cloud identity abuse with telephone-oriented attack delivery and demands immediate defensive action.
How the attack works
Attackers exploit the guest-invitation feature in Microsoft Entra ID (formerly Azure Active Directory). The feature allows organisations to invite outside users for secure collaboration. Bad actors craft invites that look like they come from a trusted source.
The invitation arrives via email, claims a bill or invoice is owed, and instructs the recipient to call a phone number. The moment the call begins, the scammer impersonates a finance or support representative. They then pressure the target into giving sensitive information, installing software or granting access to systems. This style of exploitation is known as Telephone-Oriented Attack Delivery (TOAD).
By using Entra guest-invite functionality, attackers bypass typical email security filters. The message appears as a valid invitation because it uses legitimate messaging infrastructure. As a result, the phishing attempt drops into the inbox without raising usual red flags.
Why this matters
This TOAD phishing campaign poses elevated risks. First, the use of fake invoices and trusted cloud invites offers high social-engineering effectiveness. Targets believe they deal with a genuine finance team.
Second, the campaign bridges digital and telephone channels. Attackers obtain live voice interaction, which dramatically increases their ability to manipulate victims. The call enables them to exert urgency, emotion and authority—a hallmark of advanced social engineering.
Third, the exploitation of Microsoft Entra invite workflows exposes organisations that rely on guest-access models. Collaboration features aimed at convenience become an access point for malicious actors.
Finally, once attackers succeed, they can gain footholds in identity systems, leading to wider access and data theft. Any organisation using Entra ID must treat this campaign as a direct threat.
Recommendations for organisations
- Review guest-invite workflows in Microsoft Entra. Limit automatic invitation capabilities and verify invitees.
- Train staff to treat invoice requests and calls with caution. Confirm via separate channels whether the request is genuine.
- Enforce multi-factor authentication (MFA) and monitor unusual telephone-based interactions tied to access requests.
- Segment access for guest accounts. Ensure they cannot reach critical identity or infrastructure systems without further validation.
- Monitor for signs of voice-based manipulation and review logs of phone calls tied to invite workflows.
Recommendations for individuals
- Never call a phone number provided in an unsolicited invite or invoice without verifying it.
- If you receive an invoice tied to a guest invite, cross-check the sender via your usual finance or vendor contact.
- Look out for invites that pressure you to act quickly or appear overly urgent. Legitimate invoices allow time to verify.
- Report suspicious invites and document the interaction for your IT or security team to review.
Conclusion
The TOAD phishing campaign targeting Microsoft Entra guest-invite workflows marks a sophisticated step in phishing threats. By combining trusted collaboration invitations with fake invoices and telephone contact, attackers increase their odds of success dramatically. Organisations must strengthen guest-access management, train users, and monitor unusual communications. Individuals must verify unexpected calls and invoices. Prompt action will help prevent the campaign from turning into full-scale breaches.
0 responses to “TOAD phishing campaign exploits Microsoft Entra invites”