Cybercriminals are increasingly exploiting Microsoft's legitimate infrastructure to bypass security controls and manipulate users into Telephone-Oriented Attack Delivery (TOAD) scams. The attackers gained credibility by misusing Azure's default (.onmicrosoft.com) domain. Invitations sent from compromised Azure tenants appear to originate from genuine Microsoft services, making them significantly harder to identify as threats.
Although Microsoft Defender for Office 365 frequently identifies these as high confidence phishing attempts, depending entirely on automated detection leaves gaps in protection. The attack succeeds without requiring victims to accept any invitation or log in. By the time the message reaches the inbox, the intended harm has already been done.
How the TOAD Leaps
Threat actors create a controlled Azure tenant - Attackers set up their own Microsoft Azure environment with access to the default (.onmicrosoft.com) domain.
Microsoft invitations are generated and distributed - From their fraudulent tenants, criminals send out Azure B2Bcollaboration invites to targeted victims.
Emails bypass security filters - Because the invitations route through legitimate Microsoft infrastructure, they carry high domain reputation and evade standard email gateways that would block messages from unknown servers.
Scam content appears in the email notification - The fraudulent message is embedded directly in the invitation email body, displaying fake purchase confirmations or subscription alerts with no malicious links or attachments required.
Victims are pressured to call a fake support number - The email urges recipients to contact a fraudulent phone line to dispute unauthorized charges or cancel unwanted services.
No user action needed for delivery - The attack succeeds without requiring victims to accept the invitation or authenticate; simply receiving the email in their inbox completes the delivery.
Phone-based fraud begins -When victims call the number, they reach live scammers who use social engineering to extract money, credentials, or sensitive information.
When the TOAD Leaps
Financial losses -Victims are manipulated into making unauthorized payments, purchasing fake services, or surrendering credit card information to scammers.
Credential and data theft- Attackers extract login credentials, authentication codes, and sensitive personal or business information during fraudulent phone calls.
Organizational breaches -Compromised employee accounts can provide attackers with broader access to corporate systems and confidential data.
Erosion of trust -Abuse of Microsoft's legitimate infrastructure makes users suspicious of genuine business communications and collaboration invites.
Reputational and compliance risks - Successful attacks can damage brand reputation and trigger regulatory violations under data protection laws.
Recommendation
Deploy targeted filtering - Use Exchange Transport Rules with Regular Expressions instead of blocking the entire (.onmicrosoft.com) domain, which would disrupt legitimate Microsoft services.
Apply the detection pattern - Implement this Regex to identify malicious invitations in email bodies:
textDomain:\s+([A-Za-z0-9]+)\.onmicrosoft\.com
Audit first, enforce second - Review existing email traffic to identify legitimate partners using default (. onmicrosoft.com) addresses before activating the rule.
Handle exceptions -Whitelist verified business partners or request they transition to custom domains to maintain uninterrupted communication while blocking attacks.
Cybercriminals are wrapping their .onmicrosoft.com exploits in holiday shopping chaos, turning legitimate Microsoft infrastructure into a gift for fraudsters. Deploy these protections now before your employees unwrap a phishing scam disguised as holiday deals.
.png)
.png)