Mimecast Logo
Obtenir un devis

    Microsoft Teams-Themed Credential Phishing Campaign Exploiting Legitimate Training Resources

    2 March 2026

    By Mimecast Threat Research Team

    Key Points
    • Credential harvesting campaign impersonating Microsoft Teams task notifications
    • Exploitation of SendGrid email delivery service and CanIPhish security training template resources
    • Over 9,000 observed instances between January and February 2026
    • US-based organizations across multiple verticals, with concentration in Finance, Professional Services, Manufacturing, and Healthcare sectors
    • Credential theft through fake task notifications

    Campaign Overview

    The Mimecast Threat Research Team has identified a credential phishing campaign that weaponizes legitimate security awareness training materials. Threat actors have modified publicly available phishing simulation templates from CanIPhish, a legitimate security training platform to create convincing Microsoft Teams-themed lures targeting business users.

    Attack Chain

    The campaign employs a multi-stage approach designed to exploit user trust in familiar business communication tools:

    1. Initial Delivery: Emails are distributed through SendGrid infrastructure using compromised accounts

    2. Social Engineering Lure: Recipients receive what appears to be a Microsoft Teams notification about an assigned task to review an "Aging Report" related to accounts payable or financial documentation

    3. Template Abuse: Threat actors obtained HTML templates from CanIPhish's publicly accessible phishing simulation examples. These templates, originally designed for security training, were modified to:

    • Replace simulation URLs with the malicious credential harvesting domain
    • Customize company names and recipient details for targeted organizations

    The modified templates retain references to CanIPhish's AWS S3 bucket for image assets (https://caniphish.s3.ap-southeast-2.amazonaws.com/), further enhancing the appearance of legitimacy.

    Caniphish-1.png


    4. Credential Capture: Users clicking on "Open in Teams" or "Open in Browser" buttons are redirected to the page below where they are required to click another link in order to open the file. 

    Caniphish-2.png

    5. Captcha Page: Once user clicks on the link they are redirected to a captcha page where they need to verify they are human. Once the captcha is complete they will be presented with a Microsoft login page which is whee the threat actor will harvest credentials. 

    Caniphish-3.png

    Caniphish-4.png

    Targeted  and Regions

    Geographic Distribution

    • Primary Target: United States (over 95% of observed campaigns)
    • Secondary Targets: Limited instances targeting United Kingdom, Germany, Canada, and Australia

    Indicators of Compromise (IOCs)

    SendGrid Infrastructure:

    • u58401087.ct.sendgrid.net (tracking domain)

    Malicious URLs

    • mstexcelauthcopilot[.]powerappsportals[.]com

    Common Subject Lines

    • Company Name] : CFO / Aging report ( Jan - Feb 2026 )
    • [Company Name] : AR / Aging report ( Jan - Feb 2026 )
    • [Company Name] Report / Aging ( January 2025 )
    • [Company Name] Financial Services Report / Aging ( January 2025 )

    Pattern: Subject lines are customized with the target organization's name followed by

    Mimecast Protection

    Mimecast has implemented multiple detection layers to identify and block this campaign. Our threat intelligence team continues to monitor this campaign and will update detections as threat actors modify their tactics.

    Recommendations

    User Security Awareness Training 

    • Educate employees on the specific characteristics of this campaign, including the aging report lure and Microsoft Teams impersonation
    • Train staff to verify unexpected task assignments through separate communication channels before clicking links
    • Emphasize authentication verification: Users should always check the URL bar before entering credentials—legitimate Microsoft login pages will use login.microsoftonline.com or login.microsoft.com domains, not powerappsportals.com variations

    Proactive Threat Hunting

    Additional Context

    This campaign reflects a broader trend of threat actors abusing legitimate services, such as email delivery platforms and publicly accessible security training resources, to enhance the credibility of their attacks. Such exploitation highlights the need to protect training materials and trusted platforms from being weaponized.

    Following the identification of this threat, Mimecast worked closely with CanIPhish to implement safeguards that reduce the risk of their resources being misused, demonstrating the importance of collaboration and information sharing within the security community to counter emerging threats effectively.

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Haut de la page