Phishing hides in routine Microsoft 365 workflows
Fortra warns that attackers are abusing Outlook Groups and Microsoft 365 collaboration features to make phishing campaigns appear routine.
Attackers are abusing Outlook Groups and Microsoft 365 collaboration features to make phishing campaigns appear routine, according to Fortra. The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow, leveraging group additions, shared files, and calendar invitations to reduce suspicion.
The attack begins when a target is added to or invited into an attacker-controlled Microsoft 365 Group. The group's name, description, or welcome message is designed to create urgency, often using themes such as payroll updates, contract renewals, supplier requests, or mandatory training notices. Follow-up content is delivered through the group mailbox, shared files, or calendar invitations, often using CalPhishing techniques that place events directly on a victim's calendar.
Victims may be prompted to review a document, approve a request, sign in to an account, or download a file. The final action can lead to credential theft, token theft, malware delivery, data exposure, or further social engineering activity. Fortra noted that the value of CalPhishing lies in repeated exposure: a user might ignore the initial email, then later notice the calendar event, open the invitation, read the description, click a link, or access a referenced file.
Shared files create another path. A clean group email can still lead to a document containing a fake support process, QR code, credential-harvesting page, macro lure, or remote-access instruction. Because the content is reached through a Microsoft collaboration surface, the user may treat it as safer than a direct attachment.
Fortra warned that these attacks can complicate investigations because the activity is spread between email, Microsoft 365 Groups, shared files, and calendar events. The company advises treating unexpected groups, meetings, and shared files with the same caution as unexpected emails, especially when the theme is urgent, administrative, or account related.
No specific CVE is associated with this technique, but it highlights a growing trend of attackers abusing legitimate collaboration features to bypass traditional email security filters. Organizations should educate users about these tactics and consider monitoring for anomalous group additions and calendar events.
Fortra's FIRE team has now published a detailed report on the campaign, revealing that attackers are also abusing Calendar Phishing (CalPhishing) by sending malicious .ics calendar invites through compromised groups, which persist with reminders long after the initial email is deleted. The report provides a cross-surface visibility map showing how group mailboxes, shared documents, and calendar entries can all be weaponized in a single attack chain. Defenders are advised to block the sender domain 'groups.outlook.com' at the gateway and to train employees to treat unexpected group additions and meeting invites with the same caution as unsolicited emails.