Table of Contents
- Are Trusted Platforms Like Microsoft, Zoom, and Amazon Being Used to Scam Your Business?
- When Trusted Platforms Become Attack Vectors: The Rise of SaaS-Based Telephone Fraud
- Why This Tactic Works So Well
- Three Attack Methods in Practice
- Method 1: SaaS Profile Field Abuse (Zoom, PayPal, YouTube)
- Method 2: Microsoft Workflow Abuse (Power BI & Entra ID)
- Method 3: Amazon Business Invitation Abuse
- Who Is Being Targeted
- What This Means for Your Security Posture
Are Trusted Platforms Like Microsoft, Zoom, and Amazon Being Used to Scam Your Business?
When Trusted Platforms Become Attack Vectors: The Rise of SaaS-Based Telephone Fraud
Cybercriminals no longer need to build fake websites or spoof email domains. A large-scale campaign documented by Check Point Research in early February 2026 shows that attackers are now weaponizing the notification systems of platforms your employees trust every day — Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes — to deliver phone-based fraud at industrial scale.
The campaign produced approximately 133,260 phishing emails and directly impacted 20,049 organizations worldwide. Over the most recent three-month observation window alone, more than 460,000 such emails were recorded, indicating a well-resourced, scalable operation.
Why This Tactic Works So Well
The core strength of this approach is authenticity by proxy. Attackers do not break into these platforms. Instead, they exploit user-controllable fields — account names, profile attributes, invitation messages — to insert fraudulent content that the platform then renders into its own system-generated emails.
Because the emails originate from the legitimate platform’s own infrastructure, they pass every standard authentication check: SPF, DKIM, DMARC, and ARC. Conventional email security filters have no technical grounds to flag them as suspicious. To a recipient, the message is indistinguishable from a routine service notification.
The final goal is not a malicious link. It is a phone call. Victims are directed to contact a fake support number, moving the attack entirely into voice-based social engineering — a channel that URL scanners and sandboxing tools cannot reach.
Three Attack Methods in Practice
Method 1: SaaS Profile Field Abuse (Zoom, PayPal, YouTube)
Attackers create or modify accounts on platforms that render user-defined fields directly into notification emails. They populate fields such as account name or billing profile with fabricated urgent messages — fake subscription charges, account suspension warnings — alongside a fraudulent support number.
The platform generates and sends the email on the attacker’s behalf, complete with authentic branding and domain. Automated distribution rules then broadcast these emails at scale, with no attacker-controlled mail server involved at any stage.
Method 2: Microsoft Workflow Abuse (Power BI & Entra ID)
Here, attackers establish or take over a legitimate Microsoft tenant. They configure services that trigger automated notifications — such as Entra ID identity alerts or Power BI subscription emails — and embed scam content into the user-controlled fields within those workflows.
Microsoft’s own infrastructure generates and delivers fully authenticated emails containing the fraudulent messaging. Recipients see an email that looks exactly like a standard Microsoft service communication and are prompted to call a number to “resolve” an account or billing issue.
Method 3: Amazon Business Invitation Abuse
Amazon’s “Invite User” feature allows senders to include custom messages in invitation emails. Attackers insert fabricated fee warnings and fake support phone numbers directly into these invitation fields.
Amazon SES delivers the message. The result is an email that passes all authentication checks and carries Amazon’s full visual credibility — without the attacker ever needing their own mail infrastructure.
Who Is Being Targeted
The sectors most affected reflect where high-volume, routine SaaS notifications are a normal part of daily operations:
- Technology / SaaS / IT — 26.8%
- Manufacturing, Engineering & Construction — 21.4%
- Business / B2B Trade — 18.9%
Geographically, the United States bears the heaviest burden at 66.9% of targeted organizations, followed by Europe at 17.8%, Asia-Pacific at 9.2%, Canada at 4.1%, Latin America at 2.6%, and Middle East & Africa at 1.4%.
What This Means for Your Security Posture
The key lesson from this campaign is that authenticated email is no longer synonymous with safe email. If your organization’s threat detection relies solely on checking whether an email came from a legitimate server, this class of attack will pass through cleanly every time.
Defenders need to shift toward contextual analysis — evaluating whether an email’s content is consistent with the relationship and communication norms associated with the sending platform, even when authentication is clean. Specifically, this means:
- Training employees to treat any email urging them to call a phone number as a high-suspicion event, regardless of sender reputation
- Reviewing how SaaS platforms used within your organization handle user-controlled fields in notification emails
- Flagging emails containing unsolicited billing alerts, subscription warnings, or account suspension notices that reference phone support — particularly from platforms that typically handle such matters through in-app interfaces
- Applying zero-trust principles to all inbound communications, even those from enterprise-grade cloud providers
The shift from link-based to call-based delivery is a deliberate evasion of the technical controls most organizations have invested in. Addressing it requires combining technical filtering with informed, security-aware people on the receiving end.