The Breach Didn't Start With a Hacker. It Started With an Inbox

What Every Business Needs to Know About Phishing, Microsoft 365, and the Attacks We're Seeing Right Now

A financial services firm in Manhattan reached out to Bit by Bit after discovering their Microsoft 365 environment had been compromised. Cybercriminals had slipped in through a phishing email, moved silently through the firm's systems, and ultimately deployed ransomware that locked down operations completely. Every hour of downtime carried a steep price tag. Every hour of recovery added to it.

Nobody on the team thought they had clicked something dangerous. The email looked completely normal. That is exactly the point.

If your organization runs on Microsoft 365, this is the threat that deserves your attention right now. No geek speak. Just what you need to know.

It Starts With an Email That Looks Like Every Other Email

Before criminals send a single message, they do their homework. They find your company on LinkedIn, pull employee names from your website, and study how your organization communicates. By the time the phishing email lands in your employee's inbox, it has been crafted specifically to fit in.

The most effective attacks impersonate Microsoft directly. The email carries the right logo, the right colors, and a subject line designed to trigger immediate action:

• Your Microsoft 365 account has been flagged for suspicious activity
• A colleague has shared an important document with you via OneDrive
• Your subscription requires immediate verification to avoid interruption
• An invoice is waiting for your review and approval
• Authority: The email appears to come from Microsoft, IT, or a senior leader
• Urgency: Account suspension threats or payment deadlines force a fast decision
• Familiarity: Shared file notifications and calendar alerts feel routine, not suspicious
• Volume: When your inbox never stops, every message gets a little less scrutiny
• MFA Fatigue (Push Bombing): Criminals send a wave of MFA push notifications until the employee, frustrated and distracted, taps Approve just to make it stop.
• Adversary-in-the-Middle (AiTM) Attacks: The phishing site proxies the real Microsoft login in real time, capturing not just credentials but the active session token. The attacker walks in without ever needing the MFA code.
• Every email account, calendar, and contact in your organization
• All files stored in SharePoint and OneDrive, including sensitive client data and financial records
• Internal communications across Microsoft Teams
• Every third-party application connected to your M365 environment
• Azure Active Directory, where they can create new admin accounts and shut out your real ones
• Credential theft opens the door
• Silent reconnaissance maps the environment and identifies targets
• Lateral movement extends their reach to additional accounts and systems
• Data is quietly exfiltrated for leverage or sale
• Ransomware is deployed to maximize disruption and force a payout
• Check the actual sender domain, not just the name displayed in the From field
• Hover over any link before clicking to see where it actually leads
• When an email prompts a login, open the application directly in a new browser tab instead of clicking through
• Treat any unusual or urgent request as worth a quick verification call, regardless of who it appears to come from
• Report anything suspicious to IT right away rather than deleting it and moving on
• Security Awareness Training: We build your team's instincts through practical training and simulated phishing campaigns, turning awareness into habit.
• Microsoft 365 Security Hardening: We configure Conditional Access policies, enforce phishing-resistant MFA, and tune Microsoft Defender to close the gaps that default M365 settings leave wide open.
• Endpoint Detection and Response (EDR/XDR): Advanced endpoint monitoring catches suspicious behavior at the device level, stopping threats that slip past your inbox defenses.
• Arctic Wolf MDR: Our partnership with Arctic Wolf brings 24/7 managed detection and response backed by a dedicated Concierge Security team that knows your environment and responds fast when something is wrong.
• Zero Trust Architecture: We build access controls on the assumption that no user or device should be trusted by default, so a stolen credential cannot move freely through your systems.
• Incident Response Planning: We work with every client to document a clear, practiced response plan so that if an attack occurs, the first hours are organized, not chaotic.

The goal is a single click before the employee pauses to think. And more often than not, it works..

Why Careful, Capable People Still Click

This is not a story about careless employees. It is a story about carefully designed deception meeting very human conditions.

Your team is processing a high volume of email every day, often on mobile devices where the full sender address is tucked away and URLs cannot be previewed before tapping. Criminals design their attacks around exactly that reality.

The psychological pressure they build into these emails is deliberate:

The busiest, most productive people on your team are often the most exposed.

The Credential Theft: What Happens When They Click

The link takes your employee to a login page that is a precise visual replica of Microsoft 365. The URL looks close enough. The page looks exactly right. They enter their username and password, hit enter, and those credentials go straight to an attacker.

What makes this especially dangerous in 2025 is that multi-factor authentication is no longer a guaranteed barrier. Attackers have adapted.

Plain English: What "Getting Into Your Microsoft Tenant" Actually Means

Your Microsoft tenant is not just your email account. It is the master environment that controls your entire organization's relationship with Microsoft. When an attacker has valid credentials and finds their way to admin access, they are not in one room. They are holding the keys to the whole building.

That means access to:

The Manhattan firm that came to us had an attacker inside their tenant for over a week before the ransomware deployed. In that time, the criminals read client communications, identified key personnel, and mapped the organization before making their move.

The Progression: From One Click to Full Shutdown

Once an attacker is inside, they follow a methodical path:

The financial and operational damage compounds at every step. By the time most organizations realize what is happening, the attacker has already been inside long enough to do serious harm.

Building a Team That Can Spot This

CISA's phishing awareness resources offer practical, plain-language guidance that translates well to employee training. The habits that matter most:

The human layer of your security is not a weakness. Properly trained, it is one of your strongest defenses.

The Bit by Bit Approach: Security-First, Jargon-Free, Built Around Your Business

At Bit by Bit, we take a security-first approach to every client engagement. That means layered protection tailored to your specific environment, explained in plain English every step of the way.

Tech Savvy. Business Smart. Ready for What's Next.

The attack that shut down that Manhattan firm started the same way every similar attack starts: one email, one click, one open door. The difference between organizations that recover quickly and those that don't almost always comes down to the layers they had in place before the attack arrived.

Bit by Bit has spent over 35 years building and protecting the IT environments of businesses in New York, Boston, and Dallas. We know what a real security posture looks like, and we will tell you plainly where yours stands.

Is your Microsoft 365 environment as secure as you think it is? Let's take an honest look together.

Schedule Your Cyber Risk Assessment HERE