Microsoft's own threat intelligence caught over 8 billion phishing attempts in the first quarter of 2026. Its built-in filtering blocks the vast majority; but at that volume, the gap that gets through is still enormous. And that gap is exactly where attackers focus.

This isn't a criticism of Microsoft. It's the reality of being the world's dominant business platform. The question is what you're doing about the part they don't catch.

‍

The Attacks Built to Evade Standard Controls

Modern attacks aren't designed to look malicious. They're designed to look normal at every checkpoint that might inspect them.

QR codes instead of links, most email security tools inspect URLs. A QR code in an image gives them nothing to scan. Microsoft reported QR code phishing up 146% in Q1 2026 alone.

Redirect chains - the first URL in the email is clean. The page the user lands on three redirects later isn't. More than one in five phishing attacks now use this technique.

CAPTCHA gates - a verification screen sits in front of the credential harvesting page. To a scanner, it looks like a legitimate site. To the user who clicks through it, so does what's behind it.

And then there's MFA bypass - which deserves its own section.

‍

MFA Is Essential. It's Also Not Enough.

Tools like Evilginx are freely available, open source, and take around twenty minutes to deploy. They work as a reverse proxy, the user sees a genuine-looking Microsoft 365 login, enters their credentials, approves their MFA prompt, and the login succeeds. From their perspective, nothing is wrong.

What's actually happened is that the attacker sat in the middle of the entire flow and captured the session token Microsoft issued after authentication completed. They don't need the password. They don't need the MFA code. They have a valid, live session.

Commercial versions of the same capability are available by subscription for a few hundred dollars a month, with real-time victim tracking and AI-generated lures included. These PhishasaService platforms come complete with revenue share schemes, referral schemes and SLA’s.

MFA stops unsophisticated attacks. It was never designed to stop this.

‍

The Threat That Costs the Most - Email Compromise

Business email compromise doesn't arrive with malware attached. There's no suspicious link, no known bad domain. It's a convincing email from what looks like a trusted contact, asking for something that sounds plausible.

We've seen a European business come within a single approval step of transferring €1.4 million to an attacker-controlled account. The email chain looked legitimate. The sender appeared to be a known contact. Only an out-of-band verification call stopped it completing.

We've also seen UK businesses where staff were buying hundreds of pounds of Amazon gift cards on behalf of what appeared to be their MD - a secret employee reward scheme, the email explained, so please keep it quiet. The secrecy was the point. It short-circuits the one thing that would have stopped it: asking someone.

BEC represented just 2% of observed email threats in 2025 but accounted for 21% of attack outcomes. Reported losses ran to over $3 billion. The majority of fraudulent transfers are never recovered. The attacks range from seven-figure wire fraud to a £200 gift card run and the underlying technique is identical.

Native Microsoft 365 protection doesn't reliably catch either. There's often nothing technically malicious to find.

‍

What Mimecast Adds

Mimecast connects to Microsoft 365 via API. No changes to mail routing, no MX modifications, nothing visible to users. It analyses traffic in the background and adds detection for exactly what native controls miss:

• BEC and vendor impersonation attempts with no malicious payload
• Links followed through redirect chains and QR code destinations
• Credential harvesting pages, including those behind CAPTCHA screens
• Unusual outbound sending behaviour that may indicate a mailbox already compromised

For most organisations that's where the conversation starts, detecting a compromised account used to attack you and where the immediate value sits.

‍

Account Takeover: What Comes After

When an attack gets through and a session is hijacked, the attacker's first move is rarely obvious. In almost every post-breach forensics exercise we've been involved with, the pattern is the same: inbox rule injection. A rule quietly added to the compromised mailbox, forwarding or hiding specific messages — anything containing "invoice", "payment", "password". The attacker isn't making noise. They're hiding the fact they're there.

By the time the breach surfaces - a supplier getting a fraudulent payment instruction, a customer reporting a suspicious email from a trusted address - days or weeks of silent access may already have occurred.

Modern SOC practice now actively hunts for the signals that indicate session hijack rather than legitimate authentication: token reuse from unexpected IP ranges, geographic anomalies, authentication patterns that don't match known device fingerprints. Those signals exist in every Microsoft 365 environment. The question is whether anything is looking for them. (Sadly some partners still brand XDR as SOC and ignore the wealth of data in identity, at Peritus we believe identity is the key)

For our  organisations on Mimecast's Cloud Gateway deployment, on Critical, Advanced, or Premium tiers, dedicated Account Takeover detection correlates email behaviour with Microsoft Entra ID identity signals to surface exactly this. The depth of detection depends on your Entra licensing — P2 unlocks the richest signal set - but it's a conversation worth having once the foundations are in place.

‍

Four Things to Raise With Your Board

1. MFA doesn't stop session token theft. The board question isn't "do we have MFA?" It's "what detects the attacks built to bypass it?"

2. Your biggest financial exposure probably has no malware in it. BEC is a convincing email. It bypasses most controls by design. Ask when finance last had a near-miss.

3. When a breach happens, the attacker hides first. Inbox rule injection is one of the most consistent early indicators in post-compromise investigations. Most organisations have no active detection for it.

4. You can find out what you're missing at no cost. Connect Mimecast to your environment via API, run it alongside your existing controls for 30 days, and see what it finds. No changes to your infrastructure. No commitment required.

‍

No-Cost Proof of Value

Rather than take our word for it, we'll show you.

Mimecast connects to your Microsoft 365 environment via API in minutes. After 30 days, we show you exactly what it detected across your real traffic, BEC attempts that reached inboxes, credential harvesting links that passed through, QR code destinations your current tooling couldn't inspect.

Not a demo. Not a vendor presentation. Your environment. Your last 30 days.

If the results show nothing of concern, you've lost nothing. If they show what we typically find you'll have a clear, evidence-based case for what needs to change.

‍

Get in touch to arrange your no-cost Proof of Value.

‍