Text, voice, deepfake video calls, and consent fatigue attacks in Microsoft 365 — the modern social-engineering surface is broader than most playbooks cover.
The Shift That Happened While We Were Training on Email
Email phishing simulations have become a standard part of security awareness programmes, which is good. But attackers adapted. The fastest-growing attack vector in 2025-2026 is voice phishing (vishing) — particularly AI-generated voice calls that impersonate executives, vendors, or IT support. The FBI's Internet Crime Complaint Center reported vishing losses exceeding email phishing losses for the first time in 2025. Most security awareness training does not cover vishing with the same depth as email.
Microsoft 365 OAuth Consent Attacks
One of the most effective attacks against M365 environments right now does not involve stealing a password at all. The attacker tricks a user into granting an OAuth application permission to read their email, contacts, and calendar. The consent screen looks like a legitimate Microsoft prompt. Once granted, the attacker has persistent access — even if the user changes their password, the OAuth token remains valid until an admin revokes it. Detection requires monitoring the M365 audit log for unusual app consent grants, which most organisations have not configured.
Text and Teams Phishing
SMS phishing (smishing) targeting corporate credentials has grown significantly as mobile devices become the primary authentication channel. More concerning is Teams-based phishing — external tenants sending messages that appear inside the Teams interface, which employees instinctively trust more than email. Microsoft has made external tenant access more restrictive in recent updates, but many organisations have not reviewed their Teams external access policies since deployment.
What Actually Reduces the Attack Surface
Beyond better training, the most effective technical controls are: conditional access policies that block authentication from non-compliant or unmanaged devices; app consent policies that prevent users from consenting to third-party OAuth applications without admin review; and phishing-resistant MFA (FIDO2 keys or Microsoft Authenticator with number matching) rather than SMS-based codes. These three controls together prevent the majority of the non-email attack scenarios described above.
- Voice phishing (vishing) using AI-generated audio surpassed email phishing in financial losses for the first time in 2025
- OAuth consent attacks in M365 grant persistent access without needing a password — monitor app consent grants in the audit log
- Microsoft Teams external messaging is a growing attack vector — review your external access policies
- FIDO2 or number-matching MFA eliminates the majority of credential phishing risk — SMS-based codes do not