Security researchers have uncovered a sophisticated phishing campaign that turns Microsoft 365's own collaboration features into attack vectors, using legitimate group invitations, calendar entries, and cloud authentication workflows to breach corporate environments. The campaign, first spotted in early 2026, marks a dangerous escalation in social engineering by weaponizing the very tools employees are trained to trust.

Unlike traditional phishing emails that rely on spoofed domains or malicious attachments, this campaign abuses genuine Microsoft 365 functionality. Attackers create or compromise Microsoft 365 Groups and then use the platform's built-in notification system to send victims realistic meeting invitations, file-sharing alerts, and group membership confirmations—all coming from legitimate Microsoft infrastructure.

The abuse of Microsoft 365 Groups is particularly insidious. When an attacker adds a target to a group, Microsoft automatically sends a welcome email with the group's name, description, and a link to view conversations. By naming a group something like "Finance Q4 Review" or "IT Security Update," the attacker can craft a message that appears urgent and relevant. These notifications bypass many spam filters because they originate from Microsoft's own IP addresses and pass SPF, DKIM, and DMARC checks without issue.

How the Attack Chain Unfolds

The campaign typically begins with reconnaissance. Attackers scrape professional networking sites or purchase leaked credentials to identify employees at targeted organizations. They then either create new Microsoft 365 groups if they have a tenant, or more commonly, use compromised accounts to form groups from within a trusted domain. Once the group is established, they invite the victim's email address.

The victim receives a polished email notification that looks exactly like a standard Microsoft 365 group invitation. The message might read: "You've been added to the 'Executive Strategy Session' group. Join the conversation and access shared files." Included is a link to view the group on Outlook on the web or a SharePoint site.

Clicking the link often leads to a realistic SharePoint page or an Outlook web access login screen—none of which is suspicious at first glance. But the page is crafted to capture credentials, or it initiates an OAuth consent flow requesting permissions to read mail, files, and contacts. If the user approves, the attacker gains persistent access without ever knowing the victim's password.

Calendar Invites as Phishing Delivery

Another variant leverages Outlook calendar invitations directly. Because most enterprise users routinely accept meeting requests, these invites feel safe. The attacker sends a calendar invite from a compromised account or a lookalike external address; the invitation contains a link to a "pre-read document" or a "Teams meeting link" that redirects to a credential harvesting page.

Since the invitation appears as a .ics file attachment in the email, some secure email gateways don't inspect the contents deeply. Once added to the calendar, the malicious link can sit unnoticed until the meeting time approaches, giving the attacker a higher chance of success.

OAuth Device Code Flow Abuse

A technically savvy branch of this campaign exploits the OAuth device code flow used for smart TVs, command-line apps, and devices without a browser. The attacker sends an email urging the victim to sign in to a "secure document portal" and provides a device code and a URL. When the victim browses to the URL and enters the code, they're prompted to authenticate with their Microsoft 365 credentials. Behind the scenes, the attacker's client obtains access and refresh tokens, granting persistent access to the victim's mailbox, OneDrive, and more.

This technique has been used in the past by state-sponsored groups, but its incorporation into a broad phishing wave is new. Because the victim completes the login on a legitimate Microsoft page, and the attack uses standard OAuth protocols, it's extremely difficult for end users to detect.

Why This Campaign Is Hard to Stop

Traditional email security tools focus on malicious links, attachments, and sender reputation. When the email originates from Microsoft's own notification system, those filters are largely blind. The campaign also uses domains like sharepoint.com, groups.microsoft.com, and outlook.com, which are typically allow-listed in corporate environments.

Moreover, the phishing pages often live on legitimate cloud services—SharePoint Online, OneDrive, or even Google Sites—making domain-based blocking impractical. Attackers can register new groups with benign-sounding names in minutes and rotate them rapidly, outpacing threat intelligence feeds.

Real-World Impact on Enterprises

Early reports indicate that organizations in finance, legal, and healthcare are being targeted heavily. In one documented case, an executive at a mid-sized bank approved an OAuth application after receiving what appeared to be an internal calendar invite. The attackers gained read access to sensitive merger discussions and leaked them to the press. In another incident, a hospital's IT department was tricked into granting file-sharing permissions that exposed patient records.

These breaches are not just about data theft. The campaign is also being used for business email compromise (BEC), where attackers silently forward emails from compromised accounts to intercept invoice payments or redirect wire transfers. Because the integration is native, it can take weeks before security teams notice the unauthorized access.

Defensive Strategies for Security Teams

Detecting and blocking this threat requires a layered approach beyond standard email filtering.

Monitor Microsoft 365 Group Creation and Membership Changes
Enable alerting on group creation—especially from external domains or newly created accounts. Use Microsoft 365's audit logs to track Add member events and correlate them with email flow logs. Anomalous group naming patterns (e.g., random-looking group names or high creation frequency) warrant immediate investigation.

Restrict OAuth Consent and Application Permissions
By default, users can consent to applications that request low-impact permissions. Tighten these settings in Azure AD to require admin approval for any permission that can read mail or files. Also, review existing consented applications for suspicious publisher domains or excessive permissions.

Disable Device Code Flow Where Unnecessary
Unless your organization relies on smart TVs or headless devices for Microsoft 365 access, consider disabling the device code flow policy via Conditional Access. Microsoft offers controls to block all device code authentication or restrict it to managed devices.

Train Employees to Recognize Legitimate Notifications
Teach users the difference between a real Microsoft 365 notification and a spoofed one. Real group invitations always appear in the Notifications section of Outlook, not as standard emails. Calendar invites from outside the organization carry a banner warning. Encourage users to verify unusual group additions with their IT team before clicking any links.

Implement Advanced Anomaly Detection
Tools like Microsoft Defender for Office 365, Sentinel, or third-party SIEMs can baseline normal behavior and flag outliers. Look for impossible travel combined with OAuth token usage, mass downloading of files from OneDrive, or forwarding rules created right after a group invitation was accepted.

Microsoft's Response and Future Outlook

Microsoft is aware of the campaign and has issued guidance through its Security Response Center. The company is working on enhancements to Safe Links and Safe Attachments to scan content within SharePoint and OneDrive-hosted pages. However, because the core issue lies in the legitimate use of Microsoft 365 features, a quick fix is unlikely.

Security researchers expect the abuse of collaboration platforms to accelerate. As email security gets smarter, attackers will continue turning to trusted services as delivery mechanisms. The line between genuine business communication and a social engineering lure is blurring, and user awareness remains the last line of defense.

For now, CISOs must assume that any notification—no matter how official—could be malicious. Continuous monitoring of cloud activity, aggressive consent policies, and zero-trust identity verification are no longer optional; they are the price of doing business in a world where the platform is the phish.