The account takeover playbook has changed

Modern Microsoft 365 account takeover attacks are built to bypass the controls most organisations rely on.

Mimecast helps detect threats before the click, at the click, and after compromise.

Why account takeover is harder to spot
Attackers are getting in, staying hidden, and moving fast. By the time many organisations detect a compromise, the damage is already done.
24
Days

Average dwell time in a compromised M365 account

600M+
Identity Attacks

Targeting Microsoft 365 users every day.

146%
Increase


In QR-code phishing year-on-year.

125%
Increase


In CAPTCHA abuse in March 2026.

High Impact


Fraudulent emails, data theft, & reputational damage.

Turn Crowdstrike Into Measurable Protection

If you’ve invested in CrowdStrike, make sure it’s delivering.Independent validation. Clear scoring. Prioritised improvements.In today’s threat landscape, protection must be assumed to be targeted.Ransomware Shield ensures your defences remain intact even when adversaries attempt to dismantle them.
Attackers know where traditional email security stops

Many attacks now hide the real destination behind redirects, QR codes, and verification screens. If your security only inspects the surface URL, you're missing what matters.

  • QR-code phishing
  • CAPTCHA-gated credential harvesting
  • Redirect chains and delayed links
  • MFA bypass and session token theft
  • Fake Microsoft 365 login pages

MFA is essential.
It’s not the whole answer.

MFA blocks the majority of automated attacks, but attackers have adapted. They steal sessions, intercept authentication flows, and replay valid tokens.



The question isn’t whether MFA is on, it’s what catches the attacks designed around it.

Where Mimecast helps
Mimecast provides multi-layered protection across the full attack chain, before the click, at the click, and after compromise.

Detect advanced phishing and business email compromise attempts

Follow suspicious links through redirects, QR codes & verification screens

Evaluate the real destination behind credential-harvesting campaigns

Correlate email behaviour with identity signals from Microsoft Entra ID

Surface compromised accounts faster

Reduce investigation time and manual triage

The Account Takeover Playbook Has Changed

We explore how attacker techniques have evolved and why most defences haven’t kept pace.

Inside the blog:

  • QR phishing and CAPTCHA abuse
  • MFA bypass and session theft
  • The full attack chain
  • What needs to change
See how Mimecast can protect your Microsoft 365 users

Peritus Cloud Security can help you understand your current risk, identify gaps, and show how Mimecast can strengthen your defences against account takeover.

  • Assess your M365 email and identity security posture
  • Understand how attacks bypass your current controls
  • See how Mimecast can close the gaps
  • Proof of value options available

Book a Mimecast Proof of Value

See what may be getting through your current Microsoft 365 email security controls.