Phishing Has Changed – And It Could Be Getting Past Your Defences

Published on Thursday, 29 January 2026 at 2:20:56 PM

Microsoft security researchers have identified a resurgence in sophisticated, multi‑stage phishing attacks that don’t just steal passwords, they take over live user sessions, bypass multi‑factor authentication, and spread from inside trusted systems by abusing platforms like Microsoft SharePoint. Learn more via Microsoft's notification.

Why These Attacks Are Different

Traditional phishing relied on obvious tricks, suspicious emails, odd links, and poor grammar. Most organisations now have controls to catch that.

This new wave of phishing looks legitimate at every step, they can be:

  • Emails sent from already‑compromised, trusted organisations
  • Real SharePoint document‑sharing links
  • Convincing Microsoft sign‑in workflows
  • Messages that blend into everyday business processes

Because SharePoint and OneDrive are so widely used, these emails often bypass email security and don’t raise suspicion with users.

From Phishing to Business Email Compromise

Once a user clicks the link, attackers use an adversary‑in‑the‑middle (AiTM) technique to capture not only credentials, but also active session cookies. That allows them to stay signed in, even with MFA enabled.

From there, attackers:

  • Create inbox rules to delete or hide new emails
  • Suppress security alerts
  • Use the compromised mailbox to send phishing internally and externally, and that could equate to hundreds of emails at a time!

At this point, the attack escalates into business email compromise (BEC), with real financial and operational risk.

Why Password Resets Aren’t Enough

One key lesson from Microsoft’s research is that password resets alone don’t stop these attacks.

Because attackers steal live sessions, proper remediation must include:

  • Revoking active sign‑in sessions
  • Removing malicious inbox rules
  • Reviewing MFA settings and mailbox activity

Without this, attackers can maintain access long after the compromise appears “resolved”.

What This Means for Australian Organisations

While this campaign initially targeted energy organisations, the techniques can apply to any Microsoft 365 environment. Any business using email and SharePoint collaboration could be exposed.

Defending against modern phishing means looking beyond the inbox:

  • Strong identity and conditional access controls
  • Monitoring for abnormal sign‑ins and inbox rule changes
  • User awareness focused on process abuse, not just fake emails

Phishing Has Evolved

Phishing hasn’t disappeared — it has evolved.

Today’s attackers are more creative and aren't relying on obvious scams.

If your organisation is still defending against yesterday’s phishing tactics, it’s time to reassess.

The Integrated ICT team can help assess your Microsoft 365 security posture and ensure your identity protections are keeping up with modern threats. Contact us.

Call 6374 8200 or email hello@integratedict.com.au

Back to All News