Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Daily SMB Cyber Intelligence Brief — Microsoft 365 token-phishing & account takeover risks

What small and medium-sized businesses should look out for today.

High Wednesday 01 July 2026, 16:12 UK time
Today’s look-out: Microsoft 365 account takeover and payment diversion scams

What to look out for today

Keep an eye out for a spike in Microsoft 365 login scams that don’t “look” like a normal password phish (e.g. device-code / token-based sign-in prompts), which can lead to mailbox access, SharePoint file access and business email compromise (BEC).

Also note reporting of active exploitation attempts against a popular load balancer/traffic management product, and ongoing attacks against exposed enterprise business systems—both are reminders to confirm what internet-facing services your business (or your IT provider) is running.

Why this matters to smaller businesses

  • Microsoft 365 is a single point of failure: if an attacker gets into one mailbox, they can read invoices, hijack payment conversations, and impersonate staff.
  • BEC is operational disruption, not just “IT”: finance teams can be tricked into changing bank details or paying urgent “overdue” invoices.
  • Internet-facing services are a business dependency: if a load balancer/VPN/edge device is compromised, it can become a fast route to ransomware or outage.

Warning signs

  • Emails or Teams messages urging you to “verify”, “reconnect”, “fix your mailbox”, “approve sign-in” or complete a device code sign-in.
  • A login page or prompt that looks legitimate, but the request is unusual (e.g. “enter this code on another site”, or “approve access” when you weren’t signing in).
  • Unexpected MFA prompts or staff reporting “my phone keeps asking me to approve sign-ins”.
  • Finance receives a bank detail change request mid-email thread, or a “new payment process” message that bypasses normal contacts.
  • Users suddenly can’t access email/files, or you see unusual forwarding rules/auto-replies being created.

How attackers may exploit the situation

  • Use phishing-as-a-service tooling aimed at Microsoft 365 to capture tokens or abuse sign-in flows, then maintain access without needing the password again.
  • Once inside a mailbox, they monitor invoice traffic and send convincing payment diversion messages from the real account.
  • Search SharePoint/OneDrive for contracts, supplier bank details, payroll and HR documents.
  • Where businesses (or MSPs) run internet-facing infrastructure, attackers try known weaknesses to get a foothold, then pivot to internal systems.

What to do today

  • Remind staff: never follow unexpected “reconnect/verify mailbox” prompts; report them to IT.
  • Finance control check: re-confirm that any bank detail change requires an out-of-band verification (phone call to a known number, not the email).
  • Microsoft 365 quick checks (ask IT/MSP to do this): look for suspicious inbox rules/forwarding, unusual sign-ins, and newly registered devices/sessions.
  • Reduce blast radius: ensure shared mailboxes and finance mailboxes use strong MFA and have tight access lists.
  • Know your edge: list what is exposed to the internet (load balancers, VPN, remote access portals) and who is responsible for monitoring and emergency changes.

Ask your IT provider

  • Are we monitoring Microsoft 365 for impossible travel, risky sign-ins, mass downloads, suspicious inbox rules and forwarding?
  • Do we have conditional access (or equivalent controls) to limit sign-ins by location/device, especially for finance/admin accounts?
  • What is our rapid response plan if a mailbox is compromised (session revocation, reset, rule cleanup, supplier notification, payment hold)?
  • Do we run (or depend on) Progress Kemp LoadMaster or similar edge appliances anywhere (including at our MSP/hosting provider)? If yes, what’s the status of mitigations and monitoring?
  • Can you confirm we have an up-to-date inventory of internet-facing systems and who owns patching/maintenance for each?

Patch watch - only one short paragraph, and only if relevant

There are reports of active exploitation attempts against Progress Kemp LoadMaster, and separate reporting of ongoing attacks against exposed Oracle E-Business Suite instances. If you (or your hosting/MSP) run either, treat this as a priority to review exposure, vendor guidance and monitoring—especially for anything internet-facing.

One action today

Send a same-day message to all staff (especially finance) warning about Microsoft 365 “verify/reconnect” and device-code sign-in prompts, and reiterate that bank detail changes must be verified by phone using a known number.

Related Actions On Cyber resource

Actions On Cyber: Business Email Compromise (BEC) & invoice fraud checklist

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.