This morning, one of our clients experienced a phishing attempt that’s becoming far more common and far more convincing.
The email didn’t come from a random address full of spelling mistakes or obvious red flags. It came from one of their own clients — a legitimate, trusted sender. That’s what made it dangerous.
At first glance, the message looked normal. It included a SharePoint link, which is something many businesses use every day for file sharing and collaboration. Because the sender was known and the request looked familiar, the user followed the link. From there, they were presented with another link, and the process escalated quickly.
The page then prompted the user through what appeared to be a standard Microsoft login flow. A Microsoft verification code was sent to the user’s email address, which made the whole interaction feel even more legitimate. To the end user, that can look like proof that the process is genuine. In reality, that extra step is often what gives attackers the opening they need. Once the user enters the code or completes the sign-in process on a fake or manipulated page, the attacker can capture credentials, session tokens, or use the approved login to attempt access immediately.
And then — bang.
That’s the moment where a normal business task turns into a potential account compromise.
After the incident was identified, we moved quickly. We signed the impacted user out of their Microsoft 365 sessions, reset the password, forced MFA re-registration, and reviewed the sign-in logs. Fortunately, in this case, there was no evidence of risky login activity or successful malicious access showing in the logs, which is the best outcome you can hope for in a situation like this.
We also contacted the original sender. They confirmed they were already aware of the issue and were taking action, which strongly suggests their environment or account had already been compromised and was being used as a trusted launch point for phishing emails.
This is exactly why modern phishing is so difficult to stop with basic email filtering alone.
A lot of business owners ask a fair question after incidents like this: “Why didn’t the system pick it up in the first place?”
The answer is simple, but uncomfortable. The message came from a legitimate source. It wasn’t a spoofed domain failing authentication checks. It wasn’t an obviously malicious attachment. It was sent from a real account that already had trust, reputation, and likely valid Microsoft infrastructure behind it. In other words, many traditional security controls see this as normal traffic until user behavior or deeper identity signals suggest otherwise.
That doesn’t mean security failed. It means email security on its own is no longer enough.
Today’s attacks often rely on trust hijacking rather than obvious malware. Attackers compromise one business account, then use that account to target partners, suppliers, and customers. That lets them bypass the first layer of skepticism because the email relationship already exists. The phishing page may also sit behind legitimate services or mimic genuine Microsoft workflows closely enough that users do not immediately spot the difference.
This is where layered identity security becomes critical.
If strong protections are in place around the login itself, the damage can often be stopped even after the user clicks. Conditional Access policies, impossible travel detection, risky sign-in detection, MFA strength requirements, session controls, token protection, and stricter controls on unmanaged devices can all help break the attack chain. In other words, even if the email gets through, the login attempt can still be challenged, blocked, or contained before access is gained.
That’s the real lesson from this morning.
Security today is not just about blocking bad emails. It’s about assuming that some malicious messages will get through — especially when they come from trusted businesses — and making sure your identity and access controls are strong enough to stop the next step.
For small and mid-sized businesses, that’s where the conversation needs to shift. The question is no longer, “How do we stop every phishing email?” The better question is, “If someone clicks, what stops the attacker from getting in?”
That single change in mindset is what separates basic protection from resilient protection.
If your team uses Microsoft 365, this is worth reviewing in your environment today:
Conditional Access policies
MFA method strength and re-registration controls
Sign-in risk and user risk policies
Session sign-out and token revocation capability
User phishing awareness training
Monitoring for suspicious SharePoint and file-sharing activity
Alerting for abnormal login behaviour
The good news is this incident appears to have been contained quickly, and the early checks showed no risky sign-ins. But it’s still a strong reminder that trusted channels can be abused, and “known sender” no longer means “safe sender.”
If this sounds like your current setup, I’m happy to help you tighten it up.
What’s more concerning in your view today — the phishing email itself, or how convincing the fake Microsoft login process has become?



