The Rise of Microsoft 365 Group Phishing

June 23, 2026 Faeem BLOGS, OFFICE 365 0

Overview

Cybercriminals are constantly looking for new ways to bypass traditional email security controls, and a recently identified campaign shows just how effective trusted platforms can be when abused.

Researchers have uncovered a phishing technique that leverages Microsoft 365 Groups, Outlook, and Calendar features to deliver malicious content through legitimate collaboration workflows. Rather than sending suspicious emails from external domains, attackers are using Microsoft’s own infrastructure to make phishing attempts appear as normal workplace communication.

The result is an attack that feels less like phishing and more like routine business activity.

Attack Breakdown

The attack begins when a threat actor creates or gains control of a Microsoft 365 Group.

Victims are then added to groups with names that appear legitimate, such as:

  • IT Support
  • HR Updates
  • Finance Review
  • All Company

Once added, users receive a welcome message that looks identical to a genuine Microsoft 365 group invitation.

Because the notification comes from Microsoft’s infrastructure and resembles normal collaboration activity, many users are less likely to question its legitimacy.

The attackers then use the group to distribute phishing content through:

  • Group mailboxes
  • Shared documents
  • Group conversations
  • Calendar invitations

Each interaction appears to be part of a legitimate business process.

The Rise of CalPhishing

One of the more concerning aspects of this campaign is the use of Calendar Phishing, often referred to as CalPhishing.

After joining the attacker-controlled group, victims may receive Outlook calendar invitations containing phishing content.

These calendar events can be disguised as:

  • HR deadlines
  • Project meetings
  • Invoice reviews
  • Mandatory training sessions
  • Administrative notifications

Unlike a traditional phishing email that may be deleted or ignored, calendar invitations continue generating reminders until the event is addressed or removed.

This repeated exposure increases the likelihood that a user will eventually interact with the malicious content.

Why This Attack Is Effective

The strength of this technique lies in trust.

Employees are trained to be suspicious of unknown senders, suspicious links, and poorly written emails. However, they are far less likely to question notifications that originate from familiar collaboration tools.

Because the attack operates through legitimate Microsoft 365 services, traditional email filtering solutions may not immediately identify the activity as malicious.

Potential outcomes include:

  • Credential theft
  • Session token capture
  • Malware delivery
  • Data exposure
  • Follow-on social engineering attacks

By the time a user realises something is wrong, the attacker may already have gained access to valuable information or credentials.

Defensive Recommendations

Organisations should expand phishing awareness beyond email alone.

Recommended actions include:

  • Educate users about unexpected Microsoft 365 group invitations.
  • Verify unfamiliar group memberships before interacting with content.
  • Review permissions around Microsoft 365 Group creation.
  • Monitor newly created groups for suspicious naming patterns.
  • Investigate unexpected calendar invitations and recurring reminders.
  • Review shared documents and files distributed through collaboration platforms.
  • Consider blocking unnecessary external notifications where appropriate.

Security teams should also investigate incidents across the full collaboration chain rather than focusing solely on email activity.

Expert in the Cloud Insight

This campaign highlights a significant shift in phishing tactics. Attackers are moving away from obvious scam emails and toward trusted business workflows that employees interact with every day.

The challenge for organisations is that these attacks do not exploit software vulnerabilities. They exploit familiarity and trust.

Security awareness programmes have traditionally focused on identifying suspicious emails, but modern phishing campaigns now extend into collaboration platforms, messaging applications, file sharing systems, and calendars.

The lesson is simple: if employees trust a platform, attackers will eventually try to abuse it. Security teams must therefore protect not only the inbox but the entire collaboration ecosystem.

Expert in the Cloud – The Future Is Now

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.