Executive Summary
Fortra Intelligence and Research Experts (FIRE) is tracking phishing activity that abuses Outlook Groups and Microsoft 365 collaboration features to make malicious activity appear routine.
The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow. A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action.
The business risk begins when that action is taken: accepting, opening, signing in, downloading, or replying can lead to credential theft, token capture, malware delivery, data exposure, service disruption, or further social engineering.
Description
Modern phishing is no longer limited to fake invoices, spoofed brands, or obvious malicious attachments. Attackers are increasing their use of legitimate features and familiar workflows as the pretext for phishing delivery.
Microsoft 365 Groups can provide that path: a threat actor controls a convincing group, invites or adds targets where external collaboration is allowed, and then uses the welcome email, group mailbox, shared files, and Outlook calendar to move the victim through a normal-looking Microsoft experience.
The trust starts here: A group named "IT Support", "HR Updates", "Finance Review", "Leadership Briefing", or "All Company" can look like routine internal activity. The first message may also appear technically healthy because the attacker is abusing a legitimate cloud service rather than only spoofing a brand. At this stage, the welcome email is almost always clean. The risk is what the group then enables next.
How the Attack Works
The target is added to, or invited into, an attacker-controlled Microsoft 365 group.
The group name, description, or welcome message sets out the context: urgent review, failed renewal, payroll update, mandatory training, or supplier action.
Follow-up content lands via either the group mailbox, shared files, or calendar invites and by utilizing one of the four CalPhishing techniques
The user follows the workflow because it is a legitimate Microsoft 365 collaboration workflow
The final action leads to credential theft, token capture, malware delivery, or further social engineering.
Where CalPhishing Fits
This is where Calendar Phishing, or CalPhishing, becomes important. The group invite gives the attacker a believable entry point, while the Outlook calendar can turn the phish into something persistent.
In related CalPhishing activity, the malicious .ics invite moves the interaction away from the email body and into the user's calendar, where reminders and event content can keep resurfacing even if the original message is missed or removed.
In a group-based scenario, that invite can be framed as a project meeting, HR deadline, admin alert, invoice review, or security task. The possibilities are endless.
Impact
The impact is not just delivery; it is repeated exposure. A user may ignore the first email but later see the tentative meeting, open the event, review the description, click a link, or open a referenced file. This makes the phishing hook feel less like a one-off and more like an unresolved work item. That is the strength of CalPhishing: it borrows trust from the calendar and uses normal reminders to apply pressure over time.
Shared files create another path. A clean group email can still lead to a document containing a fake support process, QR code, credential-harvesting page, macro lure, or remote-access instruction. Because the content is reached through a Microsoft collaboration surface, the user may treat it safer than a direct attachment.
Mitigation View
Cross-Surface Visibility
The defensive challenge is visibility across surfaces. Email review alone may miss the group, the shared content, or the calendar artefact. Investigations should follow the full chain: who created the group, who was added, what messages were sent, what files were shared, whether external meeting invites were created, and whether calendar entries remain after mail remediation.
Static Blocking
The following sender domain can be blocked if a clear inbound / internal / outbound mail flow is set, stopping any group notifications coming in from external sources: “groups.outlook.com”
3. User Training (SecAdmins & End-Users)
Training also needs to reflect on this shift. Unexpected groups, meetings, and shared files should be treated with the same caution as unexpected emails, especially when the theme is urgent, administrative, or account related.
The key issue that users need to be trained to understand is that attackers do not need to perfectly spoof Microsoft when they can borrow legitimacy from Microsoft 365 itself. Microsoft 365 Group abuse and CalPhishing work because they place the phish inside a productivity workflow users already trust.
For Defenders - How to Validate the Migration
Validate this attack path as a workflow, not a standalone phish. Use CalPhishing to safely simulate the group invite, follow-up message, shared content, calendar invite, and reminder exposure with benign infrastructure.
Measure delivery, exposure, interaction, reporting, and detection coverage across Microsoft 365. Tune controls around group creation, external membership, trusted sender changes, file access, calendar artefacts, and user reporting, then repeat the scenario.
The aim is to: simulate, observe, tune, and retest until the trusted workflow abuse is visible in the detection stack, before it becomes an incident.
Closing Remarks
Outlook Groups abuse is not just another inbox phish; it is a trusted-workflow problem.
This highlights why defenders should look beyond initial email delivery and validate the full path from group membership to mailbox activity, shared files, calendar artefacts, reminders, user interaction, and reporting.
Viewed together, these signals can help teams identify where trusted-workflow exposure may turn into business impact before it becomes an incident.
This is one example of a broader pattern defenders should expect to see more often, where attackers are turning legitimate business workflows into a reliable phishing delivery path.
