In early December 2025, cybersecurity researchers sounded the alarm over a new phishing campaign that weaponizes Microsoft Teams’ notification system. The campaign, described by multiple security outlets, doesn’t rely on malicious links or attachments — instead, it uses the trust people place in Teams notifications to trick victims into calling fraudulent support numbers.

🔎 How the Attack Works

  • Attackers add users to Teams groups with deceptive names, such as “Invoice — PayPal Payment,” “Auto-Renewal Notice,” or “Unauthorized Charge Alert.”

  • The addition triggers a notification email from what appears to be a legitimate Teams domain (for example, from [email protected]), a sender that’s often trusted by both users and email filters.

  • The notification urges the user to call a support number if they did not authorize the “charge,” creating urgency and panic.

  • When the victim calls the provided “support” number, they reach real scammers, who — using social-engineering techniques — try to extract payment card details, account credentials, or other sensitive information.

Unlike traditional phishing that relies on clicking malicious links, this campaign uses voice-based social engineering. By triggering a phone call from a seemingly legitimate “Microsoft Teams” notification, attackers exploit human trust — and often bypass filters that would catch malicious links.

Why This Attack Is Especially Dangerous

  • Trusted channel, trusted sender: Notifications come from a legitimate Teams infrastructure/domain — which lowers suspicion and often bypasses email filters.

  • No malicious attachments or links needed: Because the attack uses phone calls rather than link-based payloads, standard anti-phishing tools focusing on malicious URLs or attachments may miss it.

  • Psychological pressure + urgency: By framing the alert as a looming financial issue — unauthorized payment, invoice overdue — attackers leverage fear and urgency to push victims into action (and compliance).

  • Social engineering sophistication: Once on the line with victims, attackers rely on human manipulation rather than technical exploits. That makes defenses like firewalls or malware detection largely irrelevant.

Moreover, this campaign illustrates a broader evolution in phishing: attackers are increasingly using legitimate enterprise tools — not malware or zero-day exploits — to carry out fraud, because users trust such platforms.

What’s Changed (Why Now)

This attack arrives at a time when vulnerabilities in Teams — particularly around impersonation, message manipulation, and notification spoofing — have been exposed. Researchers at Check Point Research discovered multiple flaws that allowed attackers to forge identities, manipulate messages, and spoof notifications within Teams.

Although many of those vulnerabilities were patched (via updates culminating October 2025) — including the notification-spoofing flaw tracked as CVE-2024-38197 — the callback-phishing campaign shows that attackers don’t necessarily need technical vulnerabilities to succeed. They can simply use social engineering and the inherent “trust” in collaboration tools.

What Organizations and Users Should Do

  • Be skeptical of unsolicited Teams-group invitations or notifications, especially those referencing financial matters (invoices, auto-renewals, “unauthorized charges,” etc.).

  • Verify urgent payment or support requests through official channels — don’t call phone numbers embedded in Teams notifications. Instead, contact your organization’s known support desk or payment processor using verified contact info.

  • Review Teams group memberships regularly, and be cautious about being added to unfamiliar groups — particularly if the group’s name seems unrelated to your role or responsibilities.

  • Educate employees about callback phishing: Many phishing defenses focus on malicious links and attachments — but social-engineering via voice is increasingly common and often overlooked.

  • Strengthen email and notification filtering policies, and if possible, require manual approval for Teams invitations from external or unknown groups.

Why This Attack Should Serve as a Warning

The use of collaboration platforms for callback phishing demonstrates a shift in attacker strategy: leveraging human trust and legitimate infrastructure rather than exploiting code vulnerabilities or dropping malware. As more organizations rely on unified communication tools like Teams, the attack surface expands — especially around user behavior and trust.

This campaign is a stark reminder that the weakest link in security is often human trust, not technology vulnerabilities. Even a well-configured network, a patched application, and advanced email filtering can be undermined if users are fooled into placing a phone call to a scammer.

Final Thoughts

As enterprise tools become more integrated and trusted, attackers will continue to evolve — shifting from malware, links, or code exploits to voice-based social engineering, notification spoofing, and manipulation of human trust. The recent Teams-based callback phishing campaign shows just how subtle and dangerous such attacks can be.

The response must be equally holistic: technical defenses, yes — but also user education, strict group-invitation policies, and a culture of verifying unexpected requests. Because when human trust becomes the attack vector — that’s when even the most secure systems can be breached.