Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

SMB Cyber Daily: Microsoft 365 “consent” hijacks & ClickFix tricks — tighten login and staff checks

What small and medium-sized businesses should look out for today.

High Thursday 02 July 2026, 15:28 UK time
Today’s look-out: Cloud account takeover scams (Microsoft 365/Gmail) and ClickFix social engineering

What to look out for today

Today’s standout risk for SMEs is rapid cloud account takeover via convincing browser prompts and “approve access” (OAuth) consent screens — particularly targeting Microsoft 365 users, with similar tactics also being seen against Gmail/Google environments. In parallel, ClickFix-style scams continue: staff are tricked into copying/pasting or clicking through steps that “fix” a login or document issue but actually hand control to an attacker.

Why this matters to smaller businesses

  • Email takeover is business takeover: attackers can read invoices, change bank details in threads, create mailbox rules, and target your customers and suppliers.
  • MFA isn’t a silver bullet if staff are tricked into approving access or handing over session tokens.
  • Cloud-to-ransomware is a common path: once an attacker has email and credentials, they can reset passwords elsewhere, access files, and move into finance and admin systems.

Warning signs

  • Users report being asked to “Approve access”, “Grant permissions”, or “Consent to an app” unexpectedly when opening an email or document link.
  • Repeated prompts to re-authenticate to Microsoft 365, Teams, OneDrive or SharePoint that don’t look quite right.
  • Emails sent from staff accounts that feel “slightly off” (new tone, urgency, unusual attachments, or unusual payment requests).
  • New or unfamiliar inbox rules, forwarding settings, or “deleted items” activity.
  • Staff being told to copy/paste steps into the browser/terminal as a “quick fix”.

How attackers may exploit the situation

  • OAuth/consent theft: trick a user into granting a malicious app access, allowing access without repeatedly asking for the password.
  • Token/session hijack: steal sign-in tokens so the attacker can act as the user even if MFA exists.
  • ClickFix social engineering: prompt a user to run “fix” steps that actually give the attacker control or plant malware.
  • Follow-on fraud: use compromised mailboxes to change supplier bank details, divert invoices, or request gift cards/urgent payments.
  • Ransomware staging: use cloud access and stolen credentials to expand access to file stores or admin tools, increasing disruption risk.

What to do today

  • Message staff today: “Do not approve unexpected sign-in/consent prompts. If in doubt, stop and report.”
  • Review who can approve app access in Microsoft 365 (reduce or restrict user consent where possible) and remove unfamiliar app consents.
  • Check mailbox forwarding and inbox rules for key roles (finance, payroll, senior leadership, shared mailboxes).
  • Confirm your out-of-band payment process: any bank detail change must be verified using a known phone number, not email.
  • Reinforce reporting: make it easy for staff to report suspicious prompts and emails quickly.

Ask your IT provider

  • Can you restrict user OAuth/app consent in Microsoft 365 and implement an approval workflow?
  • Do we have monitoring/alerts for new OAuth grants, impossible travel, suspicious sign-ins, and new mailbox forwarding rules?
  • Are break-glass admin accounts protected and monitored, and do we enforce phishing-resistant MFA where practical?
  • What is our rapid response process if a user approves a malicious consent prompt (token revocation, password reset, mailbox rule cleanup, customer/supplier comms)?

Patch watch - only one short paragraph, and only if relevant

No specific patch item is the key issue today. This is primarily a social engineering and cloud configuration risk: focus on tightening Microsoft 365 consent controls, monitoring sign-ins, and reinforcing staff behaviour around unexpected prompts.

One action today

Send a short all-staff note: “If you see an unexpected Microsoft 365 ‘Approve access/Consent’ prompt or a ‘copy/paste to fix’ instruction, stop immediately and report it—do not approve or paste anything.”

Related Actions On Cyber resource

Actions On Cyber CTA: Microsoft 365 account takeover quick-check (mailbox rules, forwarding, app consents, sign-in review)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.