Spotting the dodgy emails in your inbox used to be easy. Bad grammar, weird sender addresses, links to strange sites. But what if the email came from your organisation's own domain? What if it looked exactly like a message from HR or your IT department, asking you to update your password or review a document?
This might sound like a sophisticated attack unlikely to effect small Australian businesses, but it's happening right now to Microsoft 365 customers all over the world. Including right here at home.
Phishing From "Down the Hall"
In January 2026, Microsoft Threat Intelligence published a detailed warning about a surge in spoofed phishing attacks. These aren't your average scam emails from Nigerian princes. They're messages that appear to come from inside your company, mimicking internal senders like HR, finance, or even IT. By exploiting misconfigured email routing or weak authentication settings they can easily slip past your defences.
Microsoft are on it, with Defender for Office 365 blocking over 13 million phishing emails, from just one service, in just one month! But that's only the ones it caught. Organisations with misconfigured mail exchange (MX) records or permissive SPF, DKIM, or DMARC policies are particularly exposed. If this is you, you've left the front door unlocked.
Your MFA Isn't the Silver Bullet You Think It Is
Multi-factor authentication is still important, absolutely keep it turned on. But attackers have found ways around it. A technique called device code phishing, which saw a sharp rise in late 2025, tricks users into entering a legitimate Microsoft authorisation code on a real Microsoft page. The user thinks they're verifying their identity. In reality, they've just handed control of their account to an attacker. No password is stolen, and MFA isn't bypassed in the traditional sense. The user is the authentication.
Both state-sponsored groups and financially motivated criminals are using this method, and it's being packaged into easy-to-use phishing kits that require minimal technical skill to deploy.
This Is an Australian Problem, Not Just a Global One
The ASD's Annual Cyber Threat Report 2024–25 paints a concerning picture. Over 84,700 cybercrime reports were received in the financial year. One every six minutes. Phishing was recorded as a factor in 38% of incidents reported to the ACSC. Business email compromise (BEC) fraud accounted for 15% of all business-related cybercrime reports, and email compromise without direct financial loss made up another 19%. That means about one in three cyber incidents hitting Australian businesses starts with email.
The average self-reported cost of cybercrime to large businesses jumped 219% year-on-year. For small and medium enterprises, BEC losses averaged over $97,000 per incident. That's some serious money walking out the door of businesses just like yours.
So How Do We Prevent It?
The good news is that the fixes aren't exotic. But you do need to make sure you've got the fundamentals right inside your Microsoft 365 environment:
Properly configuring your email authentication (SPF, DKIM, and DMARC set to reject or quarantine) stops attackers from impersonating your domain. Conditional Access policies in Microsoft Entra ID (formerly Azure AD) can restrict where and how logins happen, adding a layer of protection that goes well beyond a simple MFA prompt. And reviewing your MX records and mail routing ensures Microsoft's built-in protections are actually working for you.
None of this is set-and-forget. It needs regular review as your organisation changes, as Microsoft updates its platform, and as attackers adapt their techniques.
We Can Help You Get This Right
Wondering about the state of your own Microsoft 365 configuration? Probably a healthy reaction. These aren't settings most business owners should be expected to manage on their own, and getting them wrong can be catastrophic.
We help Sydney businesses lock down their Microsoft 365 environments, from email authentication and Conditional Access policies through to ongoing monitoring and more. If you need a second set of eyes on your setup, get in touch today! We'd love to have a chat.
WhatsApp 