AI Phishing in 2026: Why Microsoft 365 Users Are Still Getting Caught (and What To Monitor)

1) Initial Lure (Email, Teams Link, Shared Document)

What It Looks Like

• To a user: a believable message that fits their role: “updated contract”, “invoice query”, “Teams meeting notes”, “SharePoint file shared with you”, DocuSign-style request, “password expires today”
  
• To IT: often nothing malicious yet. Links may use legitimate services (SharePoint/OneDrive, file hosting, URL shorteners) and the sender may be:
  • an external lookalike domain, or
  • a real compromised supplier/customer account.

AI makes these lures far more convincing and targeted, so you should assume some will land and be clicked. As a result, your protection strategy shifts from stopping every click to limiting what happens after the click.

2) Credential or Session Capture (Fake Login Page, Adversary-in-the-Middle)

What It Looks Like

• To a user: a Microsoft-looking sign-in prompt. They enter credentials, maybe approve multi-factor authentication (MFA), and then still end up at a real page (so it feels normal).
• To IT: two common patterns:
  • Credential harvest: attacker steals username/password, then tries to log in elsewhere.
  • Adversary-in-the-middle (AiTM): attacker acts as a proxy between the user and Microsoft, capturing not just the password but the session token/cookie so they can “be” the user without re-entering credentials.

This is the point where just having MFA isn’t enough. If a session token (cookie – data that proves you’re already authenticated) is stolen, an attacker can often access services as a valid session.

The best detection now comes from sign-in context (new device/location/client) and post-login behaviours (mailbox rules, forwarding, OAuth consent).

3) Access Gained (Successful Sign-In, New Device/Session)

What It Looks Like

• To a user: usually nothing. They might just notice odd MFA prompts.
• To IT: you may see:
  • a successful sign-in from a new location or new device
  • a new client type (browser vs desktop, different device OS)
  • a short burst of failed logins before a success (spray then hit)
  • sign-ins at unusual times for that user.
• To a user: emails “go missing”, suppliers say they replied but you never saw it, finance conversations become oddly one-sided.
• To IT: high-signal changes such as:
  • new inbox rules (move/hide/delete messages)
  • external auto-forwarding turned on
  • new delegates or mailbox permissions (“Send As”, “Full Access”)
  • a new OAuth app granted permissions (mail/files), sometimes by the user unknowingly.

If you catch it here, you can stop the whole chain before it becomes fraud or ransomware. You want to start investigating immediately if you see a new sign-in context combined with a high-risk user, and unusual follow-on actions.

4) Persistence Set (Mailbox Rules, Forwarding, OAuth Consent, Delegate Access)

This is where Business Email Compromise (BEC) becomes hard to spot.

What It Looks Like

• To a user: emails “go missing”, suppliers say they replied but you never saw it, finance conversations become oddly one-sided.
• To IT: high-signal changes such as:
  • new inbox rules (move/hide/delete messages)
  • external auto-forwarding turned on
  • new delegates or mailbox permissions (“Send As”, “Full Access”)
  • a new OAuth app granted permissions (mail/files), sometimes by the user unknowingly.

Persistence means the attacker can keep control even if the user changes password later. That also allows attackers to hide replies and intercept payment conversations, which is the core of BEC.

5) Internal Reconnaissance (Searching Mail, SharePoint, Teams)

What It Looks Like

• To a user: still often invisible.
• To IT: activity that looks legitimate but is unusual in volume or pattern:
  • searching inbox for “invoice”, “bank”, “payment”, “remittance”, “account details”
  • opening recent threads with suppliers
  • reviewing org charts, Teams chats, SharePoint folders
  • downloading files or trawling shared sites.

Attackers are learning the business: who approves payments, what language is used, typical invoice amounts, supplier contacts. And this is why the fraud attempts can look eerily authentic.

6) Business Exploitation (Invoice Redirection, Supplier Change Requests, BEC)

What It Looks Like

• To CEOs/finance: “Please update our bank details”, “Urgent payment today”, “I’m in meetings, just do it”, or a believable supplier thread continuation.
• To IT: suspicious sending patterns:
  • new external recipients
  • replies sent from the compromised mailbox but not seen by the user (because of rules)
  • creation of new mail flow patterns or lookalike domains in communications.

This is where money moves. Apart from detection speed, process controls protect your business, such as call-back verification and two-person approval. Your business needs pre-agreed rules so finance can stop payments without waiting for perfect certainty.

7) Cover Tracks (Hide Replies, Delete Security Alerts, Move Items)

What It Looks Like

• To a user: “I never received that email” or “my sent items look odd”.
• To IT: more mailbox manipulation:
  • rules to delete security warnings or MFA messages
  • moving conversations to obscure folders
  • marking items as read
  • deleting sent items or creating rules to hide evidence.

This allows the attacker to buy time, increasing the chance of successful fraud. It’s also why it’s so important that you review rules/forwarding/delegates post-incident, rather than just reset passwords.

8) Optional Escalation (Admin Roles or Broader Compromise)

Not every phish goes here, but when it does, it gets expensive.

What It Looks Like

• To leadership: multiple accounts affected, operational disruption, possibly ransomware or major data loss.
• To IT: indicators like:
  • attempts to access admin portals
  • privileged role changes
  • multiple user accounts showing similar sign-in anomalies
  • signs of lateral movement or broader data access.

If attackers reach admin-level access or compromise multiple accounts, the blast radius multiplies quickly. And here’s where good monitoring is important, which means going beyond viewing events in isolation but correlating them. This is where correlating events rather than viewing them in isolation makes the difference between simply monitoring and good monitoring.

If you see any of the below, it should ring alarms bells.

Investigate-Now Signals

• New/increased external auto-forwarding
• New inbox rules that hide or reroute finance/security emails
• New delegate access / mailbox permissions
• Unusual mass downloads from SharePoint/OneDrive (if visible)
• New OAuth app consent with high-impact permissions
• Multiple failed sign-ins then success (spray pattern)
• Sign-in from new location/device immediately followed by high-volume email actions
• New admin role assignments (rare, high impact)
• Conditional Access or security policy changes (if applicable)
• Unusual sending patterns (new recipients, unusual volume)

And this is especially relevant if you also see any activity like the below.

Correlate Signals

• Out-of-hours activity spikes
• New email client/app type (legacy protocols, unusual user agent)
• Sudden change in geolocation profile
• Unusual creation of rules across multiple users (campaign indicator)

Looking at how it’s done, it should become clear WHY BEC is so successful.

Attackers love mailbox persistence because it’s:

• Low noise: No obvious pop-ups, no crashed systems, no ransomware note. It looks like normal email usage.
• High leverage: One compromised mailbox can influence invoices, supplier conversations, approvals, and internal trust.
• Self-hiding: Rules can automatically remove warning signs (supplier replies, security notifications, MFA alerts) so the victim doesn’t realise anything is wrong.
• Durable: If the attacker sets up forwarding, delegates, or OAuth access, they can often stay in control even after a password change.

The key idea: they don’t need to hack again if they can keep access quietly.