Microsoft is the most phished brand in the world. With so many Office 365 users globally, it’s only natural for attackers to try phishing Microsoft Planner and Teams.

In this short blog we present a large-scale attack using impersonations of the Microsoft Planner and Teams collaboration apps. The attack, which was seen in over 10 different organizations, shows that the attacker chose a less targeted approach in launching this campaign.

The Mail

In this phishing attack, the attacker tries to impersonate Microsoft Planner and Teams using the following assets:

  • App logo
  • Microsoft logo
  • Copying the email body of the app
  • Using the specific app color palette

Essentially, the attacker takes advantage of the apps’ tendency to send multiple messages in the same structure and appearance, only replacing: (1) the displayed address in the email envelope with the one of the end-users; and (2) the return path to vps.z19.web.core.windows.net, making it look like a real message from Microsoft.

To complete the disguise, the attacker uses a payload containing a fake Microsoft phishing login page intended to steal credentials. Finally, to make it even more deceiving, the attacker chooses to use the windows.net subdomain as the envelope return-path and the user’s own organizational address as the displayed address.


  • Subject: You’ve been assigned a task! / You have 6 messages, 3 mentions.
  • From: Microsoft Planner [user address] / There’s new activity in Teams [user address]
  • Return-path: [email protected]
The original emails

The Payload

Like in any phishing campaign, the attacker created a nice-looking web page to steal the end-user’s credentials. In this campaign, the same login page is used for all apps, which means that when the user clicks on ‘Open in Microsoft Planner’ or ‘Reply in Teams’ he/she will be directed to a web page phishing Microsoft login hosted by Appspot, making it difficult to use reputation-based algorithms to detect it.

The phishing website

Perception Point

Perception Point’s service prevented this attack using advanced anti-phishing algorithms. By using image-recognition technology, our solution can prevent any attack – even if highly disguised. We do not use only reputation or static engines – we take an active (“dynamic”) approach, ensuring “zero-day” phishing attacks are intercepted well before reaching the end-user’s email box.

For more information about our anti-phishing capabilities, we welcome you to check this link.

Here’s some related content you may enjoy: How to Prevent Phishing Attacks

Is your Office 365
secure enough?
Download this free
Gartner report!

Download Now