What to look out for today
Today’s standout risk for SMEs is rapid cloud account takeover via convincing browser prompts and “approve access” (OAuth) consent screens — particularly targeting Microsoft 365 users, with similar tactics also being seen against Gmail/Google environments. In parallel, ClickFix-style scams continue: staff are tricked into copying/pasting or clicking through steps that “fix” a login or document issue but actually hand control to an attacker.
Why this matters to smaller businesses
- Email takeover is business takeover: attackers can read invoices, change bank details in threads, create mailbox rules, and target your customers and suppliers.
- MFA isn’t a silver bullet if staff are tricked into approving access or handing over session tokens.
- Cloud-to-ransomware is a common path: once an attacker has email and credentials, they can reset passwords elsewhere, access files, and move into finance and admin systems.
Warning signs
- Users report being asked to “Approve access”, “Grant permissions”, or “Consent to an app” unexpectedly when opening an email or document link.
- Repeated prompts to re-authenticate to Microsoft 365, Teams, OneDrive or SharePoint that don’t look quite right.
- Emails sent from staff accounts that feel “slightly off” (new tone, urgency, unusual attachments, or unusual payment requests).
- New or unfamiliar inbox rules, forwarding settings, or “deleted items” activity.
- Staff being told to copy/paste steps into the browser/terminal as a “quick fix”.
How attackers may exploit the situation
- OAuth/consent theft: trick a user into granting a malicious app access, allowing access without repeatedly asking for the password.
- Token/session hijack: steal sign-in tokens so the attacker can act as the user even if MFA exists.
- ClickFix social engineering: prompt a user to run “fix” steps that actually give the attacker control or plant malware.
- Follow-on fraud: use compromised mailboxes to change supplier bank details, divert invoices, or request gift cards/urgent payments.
- Ransomware staging: use cloud access and stolen credentials to expand access to file stores or admin tools, increasing disruption risk.
What to do today
- Message staff today: “Do not approve unexpected sign-in/consent prompts. If in doubt, stop and report.”
- Review who can approve app access in Microsoft 365 (reduce or restrict user consent where possible) and remove unfamiliar app consents.
- Check mailbox forwarding and inbox rules for key roles (finance, payroll, senior leadership, shared mailboxes).
- Confirm your out-of-band payment process: any bank detail change must be verified using a known phone number, not email.
- Reinforce reporting: make it easy for staff to report suspicious prompts and emails quickly.
Ask your IT provider
- Can you restrict user OAuth/app consent in Microsoft 365 and implement an approval workflow?
- Do we have monitoring/alerts for new OAuth grants, impossible travel, suspicious sign-ins, and new mailbox forwarding rules?
- Are break-glass admin accounts protected and monitored, and do we enforce phishing-resistant MFA where practical?
- What is our rapid response process if a user approves a malicious consent prompt (token revocation, password reset, mailbox rule cleanup, customer/supplier comms)?
Patch watch - only one short paragraph, and only if relevant
No specific patch item is the key issue today. This is primarily a social engineering and cloud configuration risk: focus on tightening Microsoft 365 consent controls, monitoring sign-ins, and reinforcing staff behaviour around unexpected prompts.
One action today
Send a short all-staff note: “If you see an unexpected Microsoft 365 ‘Approve access/Consent’ prompt or a ‘copy/paste to fix’ instruction, stop immediately and report it—do not approve or paste anything.”
Related Actions On Cyber resource
Actions On Cyber CTA: Microsoft 365 account takeover quick-check (mailbox rules, forwarding, app consents, sign-in review)
Sources
- ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds (BleepingComputer)
- Opera rolls out Paste Protect feature to fight ClickFix attacks (BleepingComputer)
- ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API (The Hacker News)
- AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.