Nov 17, 2025

) When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works . (Image credit: Shutterstock / janews) Attackers use compromised GMX Mail accounts to send fake Microsoft Teams invites with OAuth traps Victims who authorize the malicious Azure Web App grant access to email, files, and persistent account control Abnormal AI urges vigilance: verify senders, inspect links, and beware urgent meeting requests Fraudsters are sending victims fake Microsoft Teams meeting invitations in a bid to steal ogin credentials and achieve persistent access across the Microsoft 365 ecosystem, experts have warned. Cybersecurity experts from Abnormal AI said they recently observed the campaign in the wild. It starts with a compromised GMX Mail account. This is a free consumer email service from Germany which allows users to create up to ten sender addresses from a single account. The compromised accounts are used to send fraudulent emails, pretending to come from an HR department of a company, which are designed to look like automated, notification emails, carrying the Teams branding. You may like A Meeting ID and Passcode section A fake “Organizer” section styled to mirror authentic Teams invites If the victim takes the bait and clicks on the provided link, they will be redirected to a compromised Azure Web App that asks the visitor to make an OAuth authorization and grant permissions to the Microsoft account. The crooks tried to mask the fact that this is a web app by titling it “Please confirm attendance - meeting request”. Granting this malicious web app access gives it permissions to sign in, read the profile, maintain access even after the password is changed, access emails and email data, send emails, steal files, and more. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. The researchers believe GMX was chosen for this particular feature, since it allows the attackers to easily rotate identities without setting up new infrastructure, cutting down on time needed to prepare the attack. Another reason why GMX might have been chosen is the fact that the messages successfully pass SPF, DKIM, and DMARC validation, and end up in people’s inboxes. For Abnormal, this is an “unusual level” of technical legitimacy. The best way to defend against phishing is to simply think before you click - check the sender’s email address, hover over links to spot fishy redirects, and be wary of emails with a high sense of urgency. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons