What to look out for today
Two practical risks to have on your radar today:
- Microsoft 365 phishing has become more “productised” via phishing-as-a-service toolkits that help criminals steal sign-in sessions and take over mailboxes.
- Business phone/UC platforms are being actively targeted as Cisco has confirmed attackers are exploiting a Unified Communications Manager (Unified CM) flaw. This can lead to disruption, call rerouting/abuse, or a foothold for wider compromise depending on how the system is connected.
Why this matters to smaller businesses
- Email takeover is a fast route to invoice fraud: attackers read existing threads, then request payment changes or send convincing “urgent” payment emails from a real mailbox.
- Microsoft 365 is a shared dependency across finance, HR, and customer comms. One compromised account can expose contacts, documents, and internal conversations.
- Phone systems are business-critical. Disruption can halt sales and support, while call abuse can create unexpected telecoms costs and reputational damage.
Warning signs
- Unexpected Microsoft 365 sign-in prompts, “session expired” messages, or repeated authentication requests.
- Emails asking staff to re-authenticate, “review a shared document”, or “listen to a voicemail” when they weren’t expecting it.
- Customers/suppliers reporting odd replies from your team, unusual tone, or new payment details.
- New mailbox rules (e.g., auto-forwarding, moving finance emails to archive, hiding responses).
- For voice/telecoms: unexpected call routing changes, unexplained outbound call spikes, complaints about calls going to the wrong place, or UC/phone admin accounts being locked out.
How attackers may exploit the situation
- Phishing-as-a-service platforms lower the bar: criminals can launch realistic Microsoft 365 login lures at scale, then reuse stolen access to enter mailboxes quickly.
- Once inside email, attackers commonly perform business email compromise (BEC): reading threads, targeting finance processes, and using trusted relationships to request payment changes.
- Where organisations run Unified Communications / business telephony, attackers may target exposed or mismanaged systems to disrupt operations, abuse calling, or pivot into connected networks.
What to do today
- Send a short staff warning: “Expect Microsoft 365 ‘re-login’ scams. Don’t approve unexpected sign-in prompts. If in doubt, report it.”
- Prioritise mailbox protection for finance and senior staff: confirm multi-factor authentication is enforced and that risky legacy sign-in methods are disabled where possible.
- Check for auto-forwarding and suspicious inbox rules in Microsoft 365—especially on shared mailboxes and finance accounts.
- Re-verify payment changes out-of-band (phone call to a known number, not the email signature). Make this non-negotiable for invoice/bank detail changes.
- For phone/UC systems: confirm who manages it (internal/telecoms provider/MSP), and ask for an urgent check that internet-facing management is locked down and monitoring is in place for unusual call patterns.
Ask your IT provider
- Are we currently seeing unusual Microsoft 365 sign-ins (new countries, impossible travel, atypical devices) and are alerts reviewed daily?
- Do we block mailbox auto-forwarding to external addresses and do we alert when new inbox rules are created?
- Are finance and admin accounts protected with strong MFA and tighter policies than standard users?
- Do we operate Cisco Unified CM (or manage it for us)? If yes, what’s our exposure and mitigation status, and what monitoring is in place for call abuse and admin changes?
Patch watch - only one short paragraph, and only if relevant
Cisco has confirmed active exploitation of a Cisco Unified CM vulnerability that was patched in early June. If your organisation (or your telecoms/MSP supplier) runs Cisco Unified CM, treat this as urgent: confirm patching/mitigations and review external exposure and logs for suspicious activity.
One action today
Send a same-day internal note: “Microsoft 365 re-login scams are circulating—don’t approve unexpected MFA prompts; report any ‘session expired’ login links immediately.”
Related Actions On Cyber resource
Actions On Cyber checklist: Payment change & invoice fraud (BEC) call-back verification process
Sources
- ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit (BleepingComputer)
- Cisco finally confirms attackers exploiting Unified CM flaw (BleepingComputer)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.