Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

SMB Cyber Intelligence Brief: Microsoft 365 login spraying surge + phishing/BEC themes

What small and medium-sized businesses should look out for today.

High Wednesday 01 July 2026, 19:15 UK time
Today’s look-out: Cloud account takeover attempts (Microsoft 365) and phishing-led fraud

What to look out for today

A surge in automated login attempts against Microsoft 365 accounts is being reported, alongside continued “realistic” phishing and business email compromise (BEC) tactics that blend into normal workflows. Separately, banking-trojan campaigns continue to use convincing document lures (e.g., “broken/corrupt PDF” style prompts) to trick staff into taking risky actions.

Why this matters to smaller businesses

For many SMEs, Microsoft 365 is the front door to email, files and finance processes. If an attacker gets into just one mailbox, they can quietly monitor invoices, change bank details, reset other passwords, or trick customers and suppliers. These attacks are often high-volume and indiscriminate, which means smaller organisations are frequently hit simply because they exist.

Warning signs

  • Users report being locked out, prompted to re-sign in unexpectedly, or getting “unusual sign-in” alerts.
  • A spike in failed login notifications, or many sign-in attempts from unfamiliar locations/devices.
  • New inbox rules (e.g., auto-forwarding, auto-deleting, moving mail to RSS/Archive) that nobody set up.
  • Emails that pressure staff to open an attachment because the file is “corrupted” or “needs enabling”, especially around invoices, HR, or banking.
  • Supplier/customer emails that suddenly push for a payment change, urgent bank detail update, or “new accounts team” narrative.

How attackers may exploit the situation

  • Password spraying: trying common passwords across many Microsoft 365 accounts until one works.
  • Mailbox takeover → invoice fraud: once inside, attackers watch email threads and time a believable request for payment diversion.
  • Identity-led phishing: using trusted-looking messages and routine business processes to bypass “traditional” email security.
  • Document-lure malware: prompting a user to interact with a fake PDF/document flow that leads to credential theft or malware.

What to do today

  • Confirm MFA is enforced for all Microsoft 365 users (including shared accounts) and remove any legacy/weak sign-in methods where possible.
  • Review sign-in activity for the last 14 days: look for repeated failures, unfamiliar geographies, and new devices.
  • Check mailbox rules and forwarding for all finance and senior staff mailboxes (a common BEC target).
  • Re-brief staff (2 minutes): don’t trust “urgent bank detail changes”; verify via a known good phone number, not email.
  • Protect payments: add a simple “two-person check” for any change of payee/bank details or first-time payment.

Ask your IT provider

  • Can you show us which users don’t have MFA enforced and how quickly you can fix that?
  • What alerts are in place for password-spraying patterns, impossible travel, and high failed-login volumes?
  • Do we have controls to prevent/alert on auto-forwarding to external addresses and suspicious inbox rules?
  • How do you protect our finance workflows from BEC (e.g., monitoring for lookalike domains, suspicious reply-chain behaviour)?
  • If an account is suspected compromised, what is the containment checklist (disable sign-in, revoke sessions, reset passwords, check rules, notify affected parties)?

Patch watch - only one short paragraph, and only if relevant

No specific patch-driven issue is highlighted in today’s items. The priority today is identity security (MFA enforcement, sign-in monitoring, and mailbox rule/forwarding checks) because these attacks succeed even when devices are fully patched.

One action today

Today, check and enforce MFA for every Microsoft 365 user and immediately review mailbox rules/forwarding for finance and leadership accounts.

Related Actions On Cyber resource

Actions On Cyber checklist: Prevent invoice fraud (BEC) – payment change verification and mailbox rule checks

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.