When a ‘Legit’ Support Call Steals Your Login Session

MFA was enabled — but a fake Xero support call led to a stolen browser session, email takeover, and full lockout. Learn how to prevent it with least privilege, Conditional Access, and phishing-resistant policies.

Garry BloomGarry Bloom · Founder & Senior IT Manager
30 January 2026
5 min read
CyberSecurity
ITSupportPerth
SmallBusinessIT
Microsoft365
PerthBusiness
Phishing
MSPPerth

A random call today turned into a full account takeover — and it started with something that looked completely normal.

A Perth small business rang us after losing access to their work email. Password resets weren’t working. Email stopped syncing. Even MFA “wasn’t working”. Their first thought was the same thing most teams think: “How can someone get in if MFA is enabled?”

Here’s what happened.

They’d had an issue with Xero earlier in the day, then received a phone call from “support” that sounded legitimate. The caller knew the right language, guided them through a few steps, and asked to remote into the PC to “fix the problem”. Everything looked fine… until about an hour later.

Then the signs hit:

  • Outlook stopped syncing.

  • They were suddenly logged out of their email.

  • Password reset attempts failed.

  • MFA prompts weren’t coming through (or didn’t help).

“But we had MFA…”

MFA helps a lot — but it’s not a magic shield.

In attacks like this, the goal often isn’t to “guess your password”. It’s to steal a browser session (the authenticated token/cookie that proves you already logged in). Once the attacker has that session, they can effectively bypass MFA because the session is already trusted.

After that, the playbook is simple:

  1. Get in using the stolen session

  2. Change the password and recovery details

  3. Lock the real user out

  4. Expand access (especially if that user has admin rights)

And that last point is where small businesses get hit hardest: one person often has admin privileges “because it’s easier”.

The real root cause (in SMBs)

Not just the scam call — it’s the combination of:

  • One user with global admin privileges

  • No conditional access rules

  • No phishing-resistant sign-in controls

  • No monitoring/alerting that flags impossible travel, token use, suspicious sign-ins, or admin changes

Resolution (the right way)

If this sounds even remotely like your environment, these are the hardening steps that stop repeats:

  • Remove standing admin access: use least privilege (separate admin accounts, just-in-time elevation).

  • Enforce Conditional Access: location/device compliance, risky sign-in policies, block legacy auth.

  • Add phishing-resistant sign-in protections: session/token theft resistance settings and stronger authentication methods.

  • Lock down remote access: staff should have a clear rule—no remote access granted to “support” unless it’s a known, verified provider.

  • Have an IT partner you trust: someone who can respond fast and put the guardrails in place before the next call comes in.

Question for Perth SMB owners and office managers:
Have you ever had a “support” call that felt legit—but something didn’t sit right afterwards? What happened?

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
30 January 2026
5 min read
CyberSecurity
ITSupportPerth
SmallBusinessIT
Microsoft365
PerthBusiness
Phishing
MSPPerth

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Why Perth SMBs Are Ditching On-Prem Email and Migrating to Microsoft 365
Microsoft365
ExchangeOnline

Why Perth SMBs Are Ditching On-Prem Email and Migrating to Microsoft 365

Discover why Perth SMBs are ditching on-prem Exchange for Exchange Online. Learn how Microsoft 365 delivers reliability, security & BYOD control.

5 min read
4/9/2026