For years, multi-factor authentication has been one of the simplest and most effective cybersecurity recommendations for growing businesses.
And to be clear, it still is.
If your business does not have MFA across email, cloud apps, remote access, admin accounts, and finance systems, that should be treated as a priority. It is one of those security basics that quietly does a lot of heavy lifting, a bit like locking the front door before going to bed. Not glamorous. Very sensible.
But here is the awkward bit.
Some attackers are no longer trying to steal the password and then beat MFA. They are trying to steal the logged-in session.
That changes the conversation for any organisation that relies heavily on Microsoft 365, which is most modern businesses. HR platforms, finance teams, healthcare providers, creative agencies, consultancies, asset managers, and people analytics firms all tend to live in Outlook, Teams, SharePoint, OneDrive, and cloud-based line-of-business apps.
When that environment is compromised, it is rarely “just an email issue”. It can become a data issue, a payment issue, a compliance issue, and a trust issue rather quickly.
In May 2026, the FBI’s Internet Crime Complaint Center warned about a phishing-as-a-service platform called Kali365, designed to hijack Microsoft 365 access tokens. In plain English, this means attackers may be able to gain access to a Microsoft 365 account without needing to keep asking for the user’s password or MFA approval.
The technique uses legitimate Microsoft authentication flows in a misleading way. A user may be tricked into entering a code on a real Microsoft page, believing they are completing a normal sign-in or document access step. In the background, they are authorising an attacker’s device or session.
That is why these attacks are so uncomfortable. They do not always look like the old cartoon version of phishing, with bad spelling, suspicious logos, and a “kindly urgent prince” asking for help.
They can look tidy. Plausible. Familiar.
Microsoft’s own threat intelligence also reported that phishing remains enormous in scale. In Q1 2026, Microsoft detected around 8.3 billion email-based phishing threats, with QR code phishing and CAPTCHA-gated phishing both growing significantly during the quarter.
The point is not that every small or mid-sized business is about to be personally targeted by an elite attacker. That kind of thinking usually leads to either panic or shrugging.
The point is that the tools used by attackers are becoming easier to rent, easier to automate, and better at slipping around older assumptions.
The uncomfortable truth is that Microsoft 365 is not just “email”.
It is where contracts are discussed. It is where invoices are sent. It is where board packs are shared. It is where HR conversations happen. It is where clinical notes, candidate data, campaign plans, payroll files, acquisition discussions, and customer information may pass through, depending on the business.
So when an attacker gets into a Microsoft 365 account, they are not just reading messages.
They may be able to:
That last point is especially important. Once an attacker has access to a real mailbox, they are no longer standing outside the building wearing a fake badge. They are inside, using a real desk, sending messages from a real account, with all the awkward credibility that creates.
For an HR or people analytics company, this could expose employee data or commercially sensitive workforce insights.
For a private healthcare provider, it could affect patient trust and compliance obligations.
For a finance or asset management firm, it could create payment fraud, data leakage, or regulatory headaches.
For a creative agency, it could disrupt a launch, leak client work, or damage a hard-won relationship.
Different sectors, same underlying issue: the Microsoft 365 account has become a business-critical control point.
MFA is still one of the best controls available. The danger is when leadership teams hear “MFA is enabled” and mentally file cybersecurity under “handled”.
That is a bit like saying your office is secure because the front door has a good lock, while nobody checks who has spare keys, which windows are open, whether the alarm works, or whether someone has propped open the back door because it was convenient on a Tuesday.
A stronger Microsoft 365 security posture looks at identity, devices, access, monitoring, email protection, and recovery together.
That may sound like a lot, but for a 20 to 150 user organisation it does not need to become a giant enterprise programme. It needs to become a sensible operating rhythm.
The first step is making sure MFA is actually deployed properly.
That means it should cover all users, but especially administrators, finance users, senior leaders, and anyone with access to sensitive client, patient, employee, or financial data. Admin accounts should have stronger controls than standard users because they can do more damage when compromised.
The second step is reducing the ways attackers can bypass or abuse authentication flows.
For example, the FBI specifically recommends reviewing and restricting device code flow where it is not required. Many businesses will never have thought about this setting, because it sounds like the kind of thing that lives in a technical cupboard somewhere. Unfortunately, attackers are quite fond of technical cupboards.
This is exactly why managed cybersecurity services should include configuration review, not just tool installation.
The third step is conditional access.
Conditional access policies help decide when a login should be allowed, blocked, or challenged. A normal login from a managed company laptop in London during business hours may be treated differently from a login attempt from an unfamiliar location, unmanaged device, or unusual pattern of behaviour.
This is where Microsoft 365 security becomes less binary and more intelligent.
The fourth step is session visibility.
If an attacker has stolen a token or established a session, the business needs ways to spot suspicious activity. That includes monitoring unusual sign-ins, impossible travel, new inbox rules, suspicious OAuth app grants, unexpected file access, and changes to security settings.
A business does not need a director refreshing audit logs at midnight with a strong coffee and fading hope. It needs a managed process.
The fifth step is user education, but not the dull kind.
Staff need to understand what modern phishing looks like. QR codes, fake CAPTCHA pages, document-sharing lures, device codes, MFA fatigue, and “please review this secure file” emails are now part of the everyday threat landscape.
Training should be practical, short, repeated, and measured. People do not become safer because they watched one annual slideshow while eating a sandwich at their desk. They become safer when awareness becomes part of the working culture.
For leadership teams, this issue creates a few immediate questions.
First, do you know which accounts would cause the most harm if compromised?
Most businesses have obvious high-risk users: directors, finance, HR, operations, clinical leads, IT admins, and anyone with broad access to client or employee data. Those accounts deserve extra attention.
Second, do you know whether your Microsoft 365 environment is configured securely?
Many organisations use Microsoft 365 every day but have never had a structured security review. Defaults change. Licences change. Staff join and leave. Permissions accumulate. Old devices remain trusted. Former employees may still have access through forgotten shared mailboxes or third-party apps.
Security drift is boring, which is precisely why it becomes dangerous.
Third, could you prove your controls are working?
This matters for cyber insurance, compliance, due diligence, and incident response. Saying “we think MFA is on” is not the same as having evidence of MFA coverage, access reviews, endpoint protection, backup testing, phishing training, and incident response readiness.
Fourth, would you know what to do if an account was compromised?
A good response plan should cover who investigates, who disables sessions, who checks forwarding rules, who reviews file access, who speaks to affected clients or regulators if needed, and how the business restores confidence.
During an incident, clarity is kindness. Panic is expensive.
The best way to think about Microsoft 365 security in 2026 is this:
MFA is the beginning of good identity security, not the end of it.
Modern attackers are not always smashing through the wall. Sometimes they are persuading someone to open the side gate, borrowing a valid pass, and walking around quietly until they find something useful.
That means businesses need layered protection. Strong identity controls. Managed devices. Email security. Secure configuration. Monitoring. Human-risk testing. Recovery planning. Regular access reviews. A living technology risk register.
None of this needs to feel dramatic. In fact, the best security often feels calm.
You know what matters. You know what is exposed. You know what is being watched. You know what happens if something goes wrong.
That is the difference between having security tools and having security confidence.
If you are not sure whether your Microsoft 365 environment is properly protected against modern phishing and session-based attacks, book a black box assessment. It is a practical way to understand your current exposure, spot weak points, and decide what needs attention before an attacker does.
Sources used:
FBI IC3: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens
Microsoft Security: Email threat landscape: Q1 2026 trends and insights
NCSC: Cyber security advice for small to medium sized organisations