What to look out for today
Keep an eye out for a spike in Microsoft 365 login scams that don’t “look” like a normal password phish (e.g. device-code / token-based sign-in prompts), which can lead to mailbox access, SharePoint file access and business email compromise (BEC).
Also note reporting of active exploitation attempts against a popular load balancer/traffic management product, and ongoing attacks against exposed enterprise business systems—both are reminders to confirm what internet-facing services your business (or your IT provider) is running.
Why this matters to smaller businesses
- Microsoft 365 is a single point of failure: if an attacker gets into one mailbox, they can read invoices, hijack payment conversations, and impersonate staff.
- BEC is operational disruption, not just “IT”: finance teams can be tricked into changing bank details or paying urgent “overdue” invoices.
- Internet-facing services are a business dependency: if a load balancer/VPN/edge device is compromised, it can become a fast route to ransomware or outage.
Warning signs
- Emails or Teams messages urging you to “verify”, “reconnect”, “fix your mailbox”, “approve sign-in” or complete a device code sign-in.
- A login page or prompt that looks legitimate, but the request is unusual (e.g. “enter this code on another site”, or “approve access” when you weren’t signing in).
- Unexpected MFA prompts or staff reporting “my phone keeps asking me to approve sign-ins”.
- Finance receives a bank detail change request mid-email thread, or a “new payment process” message that bypasses normal contacts.
- Users suddenly can’t access email/files, or you see unusual forwarding rules/auto-replies being created.
How attackers may exploit the situation
- Use phishing-as-a-service tooling aimed at Microsoft 365 to capture tokens or abuse sign-in flows, then maintain access without needing the password again.
- Once inside a mailbox, they monitor invoice traffic and send convincing payment diversion messages from the real account.
- Search SharePoint/OneDrive for contracts, supplier bank details, payroll and HR documents.
- Where businesses (or MSPs) run internet-facing infrastructure, attackers try known weaknesses to get a foothold, then pivot to internal systems.
What to do today
- Remind staff: never follow unexpected “reconnect/verify mailbox” prompts; report them to IT.
- Finance control check: re-confirm that any bank detail change requires an out-of-band verification (phone call to a known number, not the email).
- Microsoft 365 quick checks (ask IT/MSP to do this): look for suspicious inbox rules/forwarding, unusual sign-ins, and newly registered devices/sessions.
- Reduce blast radius: ensure shared mailboxes and finance mailboxes use strong MFA and have tight access lists.
- Know your edge: list what is exposed to the internet (load balancers, VPN, remote access portals) and who is responsible for monitoring and emergency changes.
Ask your IT provider
- Are we monitoring Microsoft 365 for impossible travel, risky sign-ins, mass downloads, suspicious inbox rules and forwarding?
- Do we have conditional access (or equivalent controls) to limit sign-ins by location/device, especially for finance/admin accounts?
- What is our rapid response plan if a mailbox is compromised (session revocation, reset, rule cleanup, supplier notification, payment hold)?
- Do we run (or depend on) Progress Kemp LoadMaster or similar edge appliances anywhere (including at our MSP/hosting provider)? If yes, what’s the status of mitigations and monitoring?
- Can you confirm we have an up-to-date inventory of internet-facing systems and who owns patching/maintenance for each?
Patch watch - only one short paragraph, and only if relevant
There are reports of active exploitation attempts against Progress Kemp LoadMaster, and separate reporting of ongoing attacks against exposed Oracle E-Business Suite instances. If you (or your hosting/MSP) run either, treat this as a priority to review exposure, vendor guidance and monitoring—especially for anything internet-facing.
One action today
Send a same-day message to all staff (especially finance) warning about Microsoft 365 “verify/reconnect” and device-code sign-in prompts, and reiterate that bank detail changes must be verified by phone using a known number.
Related Actions On Cyber resource
Actions On Cyber: Business Email Compromise (BEC) & invoice fraud checklist
Sources
- ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 (Cisco Talos)
- Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts (The Hacker News)
- Over 900 Oracle E-Business instances exposed to ongoing attacks (BleepingComputer)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.