According to Windows Report | Error-free Tech Life, security researchers at SpiderLabs have uncovered an ongoing and effective phishing campaign that directly targets Microsoft Teams users. The attack works by creating malicious Teams groups with convincing names, which then triggers automatic notification emails from Microsoft’s official @teams.microsoft.com domain. These fake alerts claim to be about urgent PayPal payments, auto-renewal charges, or invoice disputes, pressuring the recipient to immediately call provided support numbers like 1-983-220-2463. When victims call, scammers posing as support staff attempt to steal login credentials, payment information, and even gain remote access to their devices. The technique is particularly dangerous because it bypasses traditional email security filters that look for malicious links or attachments.
The sneaky mechanics of the scam
Here’s the thing that makes this so clever: it weaponizes a trusted, automated system. The hackers aren’t sending phishing emails themselves. Instead, they add a target user to a malicious Teams group they control. Microsoft‘s platform, doing its normal job, then sends a legitimate notification email from its official domain. That email is 100% real from Microsoft’s servers. The social engineering is all in the group’s name and the message preview. You get an email from a sender you trust, with a subject line screaming about a fraudulent $499 charge you need to dispute. The pressure is immediate. And because the “action” is to call a phone number, there’s no malicious link for security software to scan and block. It’s pure, old-school phone scamming, but with a modern, trusted delivery mechanism.
Why this is a nightmare to defend against
This campaign highlights a brutal trade-off in security. We’ve spent years training users and building filters to spot dodgy emails from strange addresses with suspicious links. This attack bypasses all of that. The email is from a whitelisted, legitimate Microsoft subdomain. There’s no link to analyze. The payload is a voice on the phone, which is much harder for automated systems to intercept. The defense now shifts almost entirely to human vigilance and post-event monitoring. Administrators have to watch for weirdly-named Teams groups being created. Users have to resist that powerful urge to panic and call the number in the email. It’s a stark reminder that as we lock down one vector, attackers just get creative and pivot to another.
What you and your company can do
So, what’s the move? For individuals, the rule is simple but hard: never, ever call a number from an unsolicited message about a charge or problem. If you get a Teams notification about a PayPal issue, go directly to the PayPal website or app yourself and check. Same for any service. Scammers rely on you bypassing the official channel in a moment of panic. For IT admins, the recommendations from researchers are crucial. You need to monitor Teams audit logs for a surge in new groups with financial names. You can implement governance rules to restrict group naming conventions. And you should train your team specifically on this callback phishing tactic. It’s a layered defense, because frankly, no single filter is going to catch this. For more detailed analysis on the campaign’s mechanics, security pros can dive into the findings here. Stay skeptical out there.
