Microsoft 365 Scams Are Getting Better at Bypassing MFA: What Small Businesses Should Know

Multi-factor authentication, often called MFA, is still one of the best protections a small business can use. But recent FBI guidance is a reminder that criminals are changing their tactics.

The issue is not that MFA suddenly stopped working. The issue is that some scams now trick users into giving attackers access in a way that looks legitimate. That is especially concerning for businesses that rely on Microsoft 365 for email, Teams messages, shared files, billing, customer communication, and day-to-day operations.

What Is Happening?

The FBI recently warned about a phishing-as-a-service platform called Kali365. In plain English, that means criminals are selling or sharing ready-made tools that make Microsoft 365 phishing easier for less-skilled attackers.

Instead of simply asking for a password, these attacks may try to capture access tokens. An access token is like a temporary digital pass that tells Microsoft 365, “This user has already logged in.” If an attacker steals or abuses that pass, they may be able to access services like Outlook, Teams, or OneDrive without needing the user’s password again.

Some attacks also use Microsoft’s real device code login process. A user may be asked to enter a code on a legitimate Microsoft page. Because the page is real, the request can feel safer than a normal phishing page. But if the user did not personally start that sign-in process, entering the code may authorize the attacker’s device instead.

Why This Matters for Small Businesses

For many small businesses, Microsoft 365 is where daily work happens. A compromised account can create problems quickly.

An attacker with access to one mailbox may be able to read invoices, reset passwords, monitor conversations, impersonate an employee, or send fake payment requests to customers and vendors. If they get into OneDrive or SharePoint, they may also see sensitive files, contracts, tax documents, HR records, or client information.

This kind of attack can be especially damaging because it may not look like a dramatic “hack.” The business may simply notice strange sent emails, missing messages, unusual login alerts, or a vendor asking why payment instructions changed.

By then, the attacker may already have had time to study the business.

MFA Is Still Important, But It Needs Backup

MFA is not the problem. Businesses should still use it. The lesson is that MFA should be part of a broader account security plan.

A strong Microsoft 365 security setup should include:

• MFA for all users, especially owners, managers, bookkeepers, and anyone with access to money or sensitive files
• Conditional access rules that limit risky sign-ins
• Alerts for suspicious logins and unusual mailbox activity
• Regular review of forwarding rules and connected apps
• Clear employee guidance on device code prompts
• Strong password habits and password manager use
• Fast offboarding when employees or vendors no longer need access

The goal is not to make work harder. The goal is to make it much harder for one mistaken click or one confusing prompt to turn into a business-wide problem.

A Simple Rule Employees Can Remember

Here is the plain-English rule every employee should know:

If you did not personally start a login, do not enter a code, approve a prompt, or “verify” your account because an email or Teams message told you to.

That one rule can stop many account takeover attempts.

Employees should also be encouraged to report suspicious prompts quickly. A fast report is not an embarrassment. It is often the difference between a harmless close call and a real business incident.

What Business Owners Should Check This Month

Small businesses do not need to become cybersecurity experts, but they should know whether the basics are covered.

Ask these questions:

• Are all Microsoft 365 users protected with MFA?
• Are admin accounts separated from everyday email use?
• Are sign-in alerts turned on and actually reviewed?
• Are old users, vendors, and unused accounts removed?
• Are mailbox forwarding rules checked for suspicious changes?
• Are employees trained to question unexpected login codes?
• Does someone know what to do if an account is compromised?

If the answer to several of these is “not sure,” that is a good sign the environment needs a security review.

The Bottom Line

Microsoft 365 is a powerful business tool, but it has also become one of the biggest targets for modern scams. Attackers know that email, Teams, OneDrive, and SharePoint are often the center of a small business. That is why account security deserves regular attention, not just a one-time setup.

Cybernetic Networks helps Orlando and Central Florida small businesses secure Microsoft 365, review account settings, improve MFA protections, monitor suspicious activity, and give employees practical guidance they can actually follow. If you are not sure whether your Microsoft 365 setup is protected against today’s phishing tactics, Cybernetic Networks can help you review it calmly, clearly, and without the scare tactics.

Source Links

• FBI IC3: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens
  https://www.ic3.gov/PSA/2026/PSA260521
• The Hacker News: Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries
  https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
• Microsoft Security Blog: Phishing actors exploit routing and misconfigurations to spoof domains
  https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/