Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

SMB Cyber Intelligence Brief: Microsoft 365 account attacks and new phishing tricks to brief staff on today

What small and medium-sized businesses should look out for today.

High Wednesday 01 July 2026, 11:48 UK time
Today’s look-out: Cloud account takeover attempts (Microsoft 365/Azure) + evolving phishing lures (device-code, AI “phantom” domains, ClickFix)

What to look out for today

Today’s main risk for SMEs is cloud account takeover, especially around Microsoft 365 and Azure. Several strands are converging:

  • Password spraying against Microsoft/Azure sign-ins (lots of login attempts across many accounts).
  • Token/device-code phishing designed to bypass normal login protections by tricking a user into approving access.
  • “ClickFix” style scams that persuade staff to copy/paste or run “verification” steps that actually install malware.
  • Phantom squatting: phishing sites hosted on domains that AI tools may mistakenly “invent” and users may trust if they came from an AI answer.

Why this matters to smaller businesses

For many SMEs, Microsoft 365 is the front door (email, SharePoint/OneDrive, Teams, invoices, customer files). If an attacker gets in, they can:

  • Steal data and contact lists, then run convincing invoice and payment diversion fraud.
  • Send phishing from a real mailbox, increasing the chance suppliers/customers will trust it.
  • Create forwarding rules, new OAuth/app access, or persistence that survives password changes.
  • Disrupt work by locking staff out or deleting files—often a precursor to wider compromise and ransomware.

Warning signs

  • Users report repeated sign-in prompts, MFA prompts they didn’t trigger, or “new device signed in” alerts.
  • A login page or security prompt asks for a device code or instructs the user to “approve access” unexpectedly.
  • Emails/IMs telling staff to “fix” an issue by copying commands, running scripts, or completing a fake “I’m not a robot” check.
  • Links to unfamiliar domains that look plausible, especially if someone says “I got this address from an AI tool.”
  • Sudden changes to bank details requests, new payment instructions, or “urgent” invoice follow-ups.

How attackers may exploit the situation

  • Password spraying targets weak/reused passwords across many accounts to find the few that work.
  • Device-code/token phishing tricks a user into granting access that can sidestep some traditional login defences.
  • ClickFix relies on social engineering: the victim performs the harmful action themselves, so it can bypass some technical controls.
  • Phantom squatting leverages AI mistakes: attackers register “made-up” domains and use them to host believable phishing pages.

What to do today

  • Send a 2-minute staff note: never copy/paste “verification” steps, never approve unexpected sign-in/MFA prompts, and treat device-code requests as suspicious unless initiated by the user.
  • Check Microsoft 365 sign-in activity for spikes, unusual locations, and repeated failures across multiple accounts.
  • Prioritise protection for finance and admin accounts (strong MFA, tighter conditional access, extra monitoring).
  • Review mailbox rules and forwarding for finance and senior leaders (attackers often add hidden forwarding for invoices and deal emails).
  • Re-confirm payment change process: call-back on known numbers, no bank detail changes accepted purely by email.

Ask your IT provider

  • Are we monitoring for password spray patterns and unusual sign-in behaviour across Microsoft 365/Azure?
  • Do we have controls to reduce token/device-code phishing risk (and can you explain what happens if a user approves a malicious prompt)?
  • How quickly would you detect and remove malicious inbox rules/forwarding and any suspicious “app access” to Microsoft 365?
  • What is our agreed incident playbook if a mailbox is compromised (containment steps, comms to customers/suppliers, evidence, recovery)?

Patch watch - only one short paragraph, and only if relevant

No specific patch action is the main story today. This is primarily a credential and social-engineering problem: focus on sign-in monitoring, MFA discipline, and staff coaching to refuse unexpected prompts and “copy/paste to fix” instructions.

One action today

Send a short internal alert: “Do not approve unexpected Microsoft sign-in/MFA prompts or any device-code request; never copy/paste ‘verification’ steps from emails/web pages—report to IT immediately.”

Related Actions On Cyber resource

Actions On Cyber CTA: Microsoft 365 account takeover quick-check (sign-ins, inbox rules, forwarding, and payment-change safety)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.