Microsoft 365 and Invoice Phishing Is Getting Nasty in 2026

By PCRepair.us, LLC | February 8, 2026

Why normal “business as usual” emails are now your biggest risk, and what PCRepair.us does to shut it down.

Phishing used to be loud. Bad grammar, weird links, Nigerian princes, you know the vibes.

Now it’s sneaky. The most successful attacks are dressed up like totally normal workflow: a SharePoint file share, a OneDrive “someone sent you a document,” a Teams message from “IT,” or a QuickBooks invoice that looks routine until you notice a phone number that is actually a trap. Microsoft has been tracking large waves of these campaigns, including ones that spoof domains through routing tricks and misconfigurations, and ones tied to phishing platforms like Tycoon2FA.

What the scam looks like right now

These are the patterns we’re seeing most often:

1) “Document share” bait (SharePoint or OneDrive)

You get a real-looking email that says a file has been shared with you, or it needs review, or permissions. The link goes to a convincing Microsoft 365 sign-in flow designed to steal your credentials or session tokens. Mail security folks have been calling this a “trust wrapper” problem because attackers abuse brands and platforms people already trust.

2) “You have a QuickBooks invoice” and the phone number trap

The email is designed to get you to call a number, not click a link. The “support agent” then pushes you into a payment scam or remote access session. Intuit has warned about fake QuickBooks invoice scams and what official Intuit communication should look like.

3) Teams social engineering: “Hi, this is IT”

This one is spicy because it hits when people are already busy. A message arrives in Teams from an external contact pretending to be helpdesk, security, or Microsoft support. Some scams then push the user into built-in remote assistance tools. Researchers and incident writeups have been calling out Teams as a social engineering channel because it feels more “internal” than email.

Why these attacks work (even on smart people)

Attackers have gotten good at three things:

They borrow trust instead of faking it

Instead of “CLICK THIS TOTALLY LEGIT LINK,” they imitate everyday tools you already use. SharePoint, OneDrive, Teams, DocuSign-style workflows. Your brain goes “ugh, another doc to review” and tries to clear the notification. That reflex is the vulnerability.

They use phishing toolkits that bypass basic defenses

Microsoft has documented large-scale phishing activity that uses complex routing and misconfigurations to spoof domains, plus high-volume phishing operations tied to platforms like Tycoon2FA. In other words: it’s industrial now, not some lone guy in a basement.

They aim for the payday: Business Email Compromise

Once an email account is compromised, criminals try to redirect payments, request W-2s or payroll data, or push fake vendor bank changes. The FBI calls Business Email Compromise (BEC) one of the most financially damaging online crimes, and IC3 has repeatedly warned about the scale of the scam.

And yes, there are “phishing-as-a-service” operations that make this easy for criminals at scale. Reuters covered Microsoft’s disruption of a subscription phishing service tied to thousands of compromised accounts.

The scary part: it does not stop at “oops, I clicked”

A single successful login can cascade fast: mailbox rules that hide replies, forwarded email to the attacker, stolen contact lists, fake invoices sent from your real account, and data pulled from OneDrive or SharePoint.

That’s why “I changed my password and I’m fine” is often wishful thinking. The attacker’s goal is persistence and profit, not just one login.

What to do if you suspect you got hit (fast, practical, minimal)

This is the 3-step “stop the bleeding” move:

  1. Do not call the phone number in the email. If it claims to be a vendor, use a known-good number from your real vendor portal, past invoices, or your saved contacts. Intuit explicitly calls out how scams rely on getting you to interact outside the real platform.
  2. Assume your account may be compromised until proven otherwise. Especially if you entered credentials into a page you reached from an email link. Microsoft’s own reporting shows how large and persistent these campaigns are.
  3. Get a pro to check the account, endpoint, and mail rules. This is where DIY usually fails, because the “damage” is often hidden in mailbox settings, OAuth consent, forwarding rules, or secondary access paths.

How PCRepair.us shuts this down for customers

When you hire us, the goal is simple: you get back to work while we make the problem boring again.

Typical hardening and cleanup includes:

  • Email account compromise checks: suspicious sign-ins, forwarding rules, mailbox rules, delegated access, and risky OAuth app connections
  • Microsoft 365 security tuning: MFA enforcement, safer sign-in policies, and reducing the “trust wrapper” attack surface
  • Invoice fraud defenses: verification workflows for payment changes, vendor validation, and internal “two-person rule” for banking updates
  • Endpoint cleanup and validation: we verify the PC is not the foothold, and we confirm security software is actually doing its job
  • User-targeted training that is not cringe: short, real examples based on what your staff is actually seeing

If you run a small business, this is exactly the kind of problem that turns into expensive chaos if you wait. BEC scams are designed to turn one rushed click into a wire transfer.

Want us to sanity-check a suspicious email or invoice?

If something feels off, it probably is. The modern scams look professional on purpose.

PCRepair.us offers remote support for home users and small businesses. If you think you clicked, called, or typed credentials into something sketchy, contact us and we’ll help you figure out what actually happened and what needs to be locked down.

Posted in Security Alerts