Partners are warned of the return of a familiar tactic with sharper execution, adversary in the middle (AiTM) phishing. The goal is no longer simply stealing a password. It is capturing session tokens, hijacking active sessions, and establishing persistence, often while the victim believes they have successfully signed in.
Recent reporting highlights how these campaigns are increasingly built around Microsoft services that users already trust, including SharePoint and OneDrive.The attacker does not need to invent credibility, they borrow it. The email looks like a routine document share or workflow update, the link looks like business as usual, and the landing experience is designed to feel consistent with a standard Microsoft 365 sign-in journey.
What is changing, and why partners should care
The operational risk here is not theoretical. AiTM-style attacks can lead to:
- Compromised mailboxes used to spread internal and external phishing at speed
- Inbox rule manipulation to hide replies, redirect comms, or suppress warnings
- Continued access even after a password reset, if session tokens remain valid
- Escalation into financial fraud via invoice redirection, supplier compromise, or executive impersonation
Microsoft’s guidance in recent coverage is a useful reminder for incident response and customer conversations: password resets alone are often insufficient, organisations may need to revoke sessions, roll back MFA changes, and remediate inbox rules and conditional access posture.
The partner playbook, what to recommend to customers this week
For partners supporting Microsoft 365 environments, the most practical message to take to customers is: treat email compromise as an identity incident, not just an “email problem”.
Suggested checklist for customer conversations:
- Tighten consent and token risk
- Review sign-in logs and risky sign-ins
- Monitor for suspicious app consents and unexpected token use
- Confirm session revocation steps are understood, practiced, and documented
- Reduce the blast radius of a single mailbox
- Hard-limit what standard accounts can do in finance and admin workflows
- Segregate roles, especially for billing changes and supplier management
- Use approvals that do not rely on email alone for payment instructions
- Harden trust paths
- Treat “file share” and “document review” emails as higher-risk
- Require additional verification for unexpected SharePoint or OneDrive prompts
- Encourage direct navigation to known portals rather than clicking links
How to position this with customers without fear tactics
This is not about telling customers their environment is unsafe. It is about acknowledging that attackers are adapting to the way modern businesses operate, using trusted brands and familiar collaboration workflows as camouflage. A clear, calm framing that works well with boards and executives is: “The attacker is not breaking in through a technical side door.They are walking through a trusted front door that looks legitimate, and the only reliable countermeasure is to stop malicious intent before the user is forced to decide.”
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, AI-powered zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
