Skip to Content

Hackers Exploit Microsoft Teams with Finance‑Themed Invitations to Bypass Phishing Links

Hackers are creating finance‑themed Microsoft Teams groups with obfuscated names to trick users into phone‑based social engineering, avoiding traditional phishing links. Learn the tactics, red flags, and prevention steps.
28 January 2026 by
TechStora Editorial Board

Overview

Recent research from Check Point reveals a new campaign that leverages legitimate Microsoft Teams features to target users without using traditional phishing links or malware attachments. Attackers create finance‑related or urgent‑billing Teams, using obfuscation techniques to slip past automated detection.

How the Attack Works

The malicious workflow consists of three main steps:

  • Hackers set up a new Teams channel with a name that mimics invoices, payment amounts, or billing alerts. They embed mixed Unicode characters or visually similar symbols to hide the deception.
  • Victims receive an invitation or message that appears to come from Microsoft, urging them to call a “support” number to resolve the supposed billing issue.
  • During the call, attackers attempt to extract login credentials, MFA codes, or other sensitive information that can be used to compromise corporate email accounts.

Red Flags & Detection

Because the attack avoids links, traditional URL‑based filters are ineffective. Instead, focus on visual and contextual cues:

  • Team names containing payment amounts, invoice numbers, phone numbers, or unusual spacing.
  • Obfuscated characters (e.g., mixed Cyrillic/Latin letters) or large‑font displays designed to draw attention.
  • Unexpected invitations from unknown senders, especially if they request a phone call.

Prevention & Mitigation

Organizations should combine technical controls with user education:

  • Enable conditional access policies that require MFA for any sign‑in from Teams guest access.
  • Deploy email and endpoint security solutions that flag unusual Teams invitations.
  • Conduct regular security awareness training highlighting the specific red flags of this campaign.
  • Establish a clear reporting procedure for suspicious Teams invitations.

Impact & Statistics

Check Point’s analysis shows the campaign affected multiple sectors, with the United States accounting for 68% of incidents. Europe (15.8%) and Asia (6.4%) follow, while Brazil and Mexico together represent over 75% of activity in Latin America.

Conclusion

Even with firewalls and advanced security tools, attackers can exploit trusted collaboration platforms like Microsoft Teams. Vigilance, staff awareness, and rapid reporting remain the strongest defenses against this finance‑themed, link‑less phishing technique.