Skip to main content
    ExpertLes 8 van 9·Phishing & social-engineering e-mail

    Microsoft 365 Phishing in 2026 — AiTM, Token Theft, and the End of TOTP

    Microsoft 365 is the single most-attacked enterprise identity surface in 2026. Modern M365 phishing rarely uses static fake login pages — it uses Adversary-in-the-Middle (AiTM) reverse-proxy kits that relay the real Microsoft login flow in real time, capturing both the password and the session cookie even with TOTP or push-based MFA enabled. Defence is mostly identity-layer, not gateway-layer.

    Reviewed by the HackersHub team — updated 13 May 202610 min readVrij te gebruiken — CC-BY-ND 4.0

    Het scenario

    A facilities-management contractor in Utrecht receives an internal-looking email Friday 16:38 with a SharePoint-styled banner: 'Quotation_Q2_2026.pdf — opened by your colleague Eric'. The link goes to a Microsoft-branded login page that, by every visible cue, is the genuine M365 sign-in: lock icon, microsoft-styled UX, even a 'this is a real Microsoft sign-in' security note. The page is, in fact, a reverse proxy running Evilginx — every keystroke and every TOTP code is being relayed in real time to the real Microsoft endpoint while the attacker's server harvests the resulting session cookie. The contractor signs in, mistakes the cookie-handoff for a slow page load, then closes the tab when the page does not advance. Within forty seconds the attacker is signed in from a Russian IP using the stolen session cookie, has registered a new authenticator app, has created an inbox rule auto-forwarding every email containing 'IBAN' or 'wire' to an external address, and has dropped an OAuth app called 'Microsoft Document Sync' with mail.read scope. None of this fires the MFA prompt on the contractor's phone because the session is already established. By Monday morning the attacker has shadow-extracted six months of finance correspondence and pivoted to two suppliers using the contractor's compromised mailbox. Defence detection time: 17 days, when finance asks why a recurring invoice was rerouted.

    Hoe de aanval werkt

    Modern M365 phishing has four dominant variants in 2026. First and most damaging is Adversary-in-the-Middle (AiTM) credential and session theft using off-the-shelf reverse-proxy kits like Evilginx 3.x and EvilProxy commercial services. These render the real Microsoft sign-in page through a proxy hop on the attacker's domain, relay credentials and MFA codes in real time, and steal the resulting session cookies for replay. TOTP and push-based MFA are completely bypassed because the attacker has the user's authenticated session, not their credentials alone. Second is OAuth consent phishing (covered fully in its own module) — the attacker tricks the user into granting an attacker-controlled enterprise application a mail.read or full-tenant scope. Third is MFA fatigue / push-bombing: the attacker has the password (from a separate breach or AiTM run) and floods the user with push prompts at inconvenient hours until they tap 'approve' to make it stop. Fourth is token-replay via stolen refresh tokens from compromised endpoints — a less common but very high-impact variant seen in Storm-0558 and Midnight Blizzard. MITRE ATT&CK techniques: T1539 (Steal Web Session Cookie), T1566.002 (Spearphishing Link), T1621 (Multi-Factor Authentication Request Generation), T1606.002 (Forge Web Credentials: SAML Tokens), T1098.001 (Account Manipulation: Additional Cloud Credentials). The defensive playbook is identity-first: phishing-resistant MFA (FIDO2 / passkeys), conditional-access policies that bind sessions to compliant devices and known geos, continuous-access evaluation, OAuth consent restrictions, and mailbox-rule and OAuth-grant monitoring.

    Waar je op moet letten

    • Microsoft login pages whose URL is anything other than login.microsoftonline.com, login.live.com, account.microsoft.com, or your tenant's federated IdP — even one extra subdomain or character is suspect
    • MFA prompts you did not initiate — push notifications, phone calls, or TOTP attempts on your authenticator app while you are not signing in
    • Inbox rules in your account that you did not create — especially rules with 'mark as read', 'forward to external address', or 'move to RSS Feeds folder'
    • Unfamiliar third-party apps in your 'My applications' (https://myapps.microsoft.com) or under tenant 'Enterprise applications' that you do not recognise
    • Sign-in alerts from new countries, anonymous-proxy infrastructure, or 'unfamiliar location' messages — even if you dismiss the alert
    • OneDrive / SharePoint sharing links to files you do not recognise, especially with .htm or .html extensions
    • Emails appearing to be from Microsoft itself with a 'review unusual sign-in' link — verify by going directly to https://account.microsoft.com
    • Voice or SMS follow-up shortly after dismissing a suspicious M365 sign-in alert — coordinated multi-channel pretexts

    Wat te doen

    1. Reject every MFA prompt you did not initiate — and then change your password from a known-clean deviceAn unsolicited prompt means the attacker has your password. Rejecting alone is not enough; the password must rotate immediately.
    2. Always confirm the URL is on a legitimate Microsoft domain BEFORE entering credentialslogin.microsoftonline.com, login.live.com, account.microsoft.com, or your tenant's known federated IdP. Bookmark and use the bookmark.
    3. Review your inbox rules, MFA methods and connected apps weeklyOutlook → Settings → Rules. Microsoft Account → Security → Sign-in activity + MFA methods. My Apps → installed enterprise apps. Anything unfamiliar = security ticket.
    4. If you signed in to a suspicious page, report and revoke immediatelyEscalate to security. They will revoke sessions, force password rotation, re-enrol MFA, audit OAuth grants, and inspect mailbox rules. Speed matters — attackers exfiltrate within minutes.
    5. Use phishing-resistant MFA wherever possible — passkeys are now first-class in M365Microsoft Entra ID supports passkeys natively in 2026. If your admin has enabled them, register one. They defeat AiTM, MFA fatigue, and token replay.
    6. Treat any 'urgent SharePoint document review' email from outside your normal collaboration circle as hostile until proven otherwiseIf the content is genuinely relevant, the sender can reshare or you can confirm out-of-band.

    Verdediging — voor IT en beleid

    Technische controles

    • Phishing-resistant MFA (FIDO2 / passkeys) enforced via Conditional Access for all users, with a path-to-100% rollout for the entire tenant within 12 months
    • Conditional Access policies requiring compliant device + known location for high-privilege roles; block-or-MFA-step-up for sessions originating from anonymous-proxy or unusual geos
    • Continuous Access Evaluation (CAE) enabled — revokes sessions in near real-time when risk signals fire
    • OAuth consent restricted to admin-approved apps only (Entra Admin Center → Enterprise applications → Consent settings); pending-admin-consent workflow for any new third-party app
    • Microsoft Defender for Office 365 with safe-links and detonation, plus Defender for Cloud Apps for OAuth-app risk and mailbox-rule alerting
    • Mailbox audit logging at maximum verbosity with alerts on: new auto-forward rules, new external forwarding, new inbox rules with delete actions, new OAuth grants, sign-ins from anonymous-proxy infrastructure
    • Token-protection / sign-in frequency policy to reduce the value of a stolen session cookie

    Beleidscontroles

    • Written policy mandating phishing-resistant MFA for every account; service accounts use certificate-based or workload-identity auth where applicable
    • Quarterly OAuth-app review: any third-party Enterprise Application without a documented business owner gets revoked
    • Quarterly review of Global Admin, Privileged Role Admin and Authentication Admin role holders — minimise standing privilege; PIM (Privileged Identity Management) for just-in-time elevation
    • Documented incident-response playbook with the specific M365 admin steps for: revoke sessions, force password reset, force MFA re-enrolment, audit mailbox rules + OAuth grants, search audit log for the past 30 days of suspicious activity
    • No-blame reporting culture for users — measure reporting rate, not click rate. AiTM victims often look like they 'just signed in normally'.

    Trainingsfrequentie

    Quarterly M365-flavoured simulated phishing campaigns including at least one AiTM-style lure (relayed through a controlled test domain) and one MFA-fatigue test. Mature programs train users to expect and report unsolicited MFA prompts within four cycles. Pair training with mandatory passkey enrolment for finance, HR, IT and executive teams.

    Korte check

    Vijf vragen. Antwoorden en toelichting verschijnen na inzenden.

    1. Q1.

      You receive an MFA push prompt on your phone but you are not signing in. What do you do?

    2. Q2.

      Which MFA method survives an Adversary-in-the-Middle (AiTM) reverse-proxy attack?

    3. Q3.

      Which of the following is the highest-leverage technical control against M365 takeover in 2026?

    4. Q4.

      An inbox rule appears in your Outlook that auto-forwards all email containing 'invoice' or 'IBAN' to an external Gmail address and marks the message as read. Most likely cause?

    5. Q5.

      What is OAuth consent phishing?

    Bronnen & verdere lectuur

    Verwante modules

    Wil je een echte aanvaller in je omgeving testen?

    HackersHub voert betaalde red-team-engagements uit.

    Praat met een expert

    Deze module is door HackersHub goedgekeurd in exact deze vorm, inclusief watermerk. Gratis onder CC-BY-ND 4.0. Wil je de inhoud aanpassen? Verwijder dan eerst ons watermerk. — Het HackersHub-team Bekijk licentievoorwaarden.