Technique

Attack Flow

Common Indicators

Required Skills and Resources

Real-World Examples

Credential harvesting

Email/SMS/Teams message lures user to a fake login; entered credentials go straight to the attacker; followed by mailbox takeover, internal phishing, BEC, or data exfiltration.

New login from an unusual source; immediate mailbox rules or forwarding; failed followed by successful login; captcha page before login; PDF leading to browser login.

Low to medium: domain registration, phishing kit, hosting, brand impersonation. Modern kits lower the entry barrier significantly.

Microsoft described a 2026 campaign targeting over 35,000 users across 13,000 organizations in 26 countries using PDFs, captcha steps, and real-time credential and token collection. Microsoft also described a campaign using SVG files disguised as PDFs leading to credential harvesting [6].

Malware via attachments or links

Lure message prompts user to open an attachment or download a file; this delivers malware, a loader, or legitimate remote tooling; followed by reconnaissance, lateral movement, and potentially ransomware.

SVG/ZIP/LNK/HTML smuggling; unexpected "voicemail", "invoice", or "secured pdf"; endpoint process starting PowerShell or remote tooling immediately after opening.

Low to medium for commodity malware; higher for stealth and evasion.

Microsoft described a campaign where scriptable SVG attachments were used to redirect users through captchas to phishing pages or payloads. Reports from Reuters and the FBI also show that ransomware remains a major operational risk after initial access is gained [7].

MFA fatigue

Attacker already has a password and repeatedly pushes MFA requests until a user approves one; followed by account takeover and often privilege escalation.

Dozens of push requests; many "deny" actions followed by one "allow"; notifications outside working hours; helpdesk requests immediately following MFA issues.

Medium: previously compromised password, automated push spam.

Scattered Spider is known for MFA fatigue and other identity attacks; researchers and law enforcement linked this method to subsequent major compromises. 

AiTM and phishing proxies

Victim logs into a proxy page that relays the real Microsoft or Google login; credentials, MFA code, and especially session cookies/tokens are intercepted in real time; after which no new MFA is needed.

Valid credentials and MFA, yet a suspicious session; new session cookies; browser or user-agent anomalies; successful login after suspicious redirect chain.

Medium to high; though PhaaS platforms are making this cheaper and cheaper.

Tycoon 2FA was dismantled in 2026; Europol and Microsoft linked it to AiTM, MFA bypass, nearly 100,000 affected organizations, and hundreds of attack domains. Barracuda also observed Whisper 2FA on a large scale targeting Microsoft 365 [8].

OAuth consent phishing

User grants permission to an app instead of sharing a password; the attacker gets tokens or app permissions for email, files, or directory data; followed by persistent access without classic password abuse.

New app consent by end user; unexpected Graph permissions; email or files access by unknown app; suspicious app registrations.

Medium: malicious app registration, permission knowledge, convincing UX.

In 2025, Datadog described "CoPhish", the abuse of Microsoft Copilot Studio agents on legitimate Microsoft domains for OAuth consent and token abuse. In 2026, Microsoft also warned of active OAuth campaigns designed to bypass browser and email defenses [9].

QR phishing

QR code in email, PDF, poster, or package directs user to a login or malware page; filters that detect URLs in text often miss this.

PDF with QR code; "scan to view document"; unexpected QR in invoices or access requests; mobile device as an anomalous login source.

Low: QR generator and landing page are often sufficient.

The FBI warned in 2025 about QR scams in unsolicited packages; there are also warnings for targeted quishing by Kimsuky. Researchers emphasize that QR phishing is explicitly designed to bypass classic URL inspection. 

BEC and invoice fraud

Attacker uses a spoofed or compromised mailbox, monitors ongoing correspondence, and sends payment or bank account changes; the goal is fraud, not necessarily malware.

Threads about invoices suddenly become "urgent"; subtle domain variations; changes to IBAN; request for confidentiality; reply behavior outside normal patterns.

Low to medium: mailbox access plus social engineering.

FBI figures show that BEC continues to cause billions in losses; academic case studies analyzed Unatrac and Ubiquiti, among others, as examples of major BEC impact [10].

Spear phishing and CEO fraud

Attacker highly personalizes based on role, timing, and context; targets are often finance, executive management, HR, or IT; ultimate goal is money, data, or an initial foothold.

Language and context seem "too good"; reference to real projects or schedules; pressure for speed; unusual channels or private email.

Medium to high; AI significantly lowers the personalization barrier.

Recent research literature shows that generative AI can create context-aware spear phishing at scale with convincing style and context imitation. Practically, this aligns with CEO fraud and BEC. 

Helpdesk and voice social engineering

Attacker calls or chats with service desk, impersonates an employee or vendor, and gets passwords reset, phone numbers added, or MFA devices registered; followed by account takeover and often ransomware.

Urgent reset requests; request for a "new number" or new device; deep knowledge of internal processes; calls shortly after credential theft or SIM swap.

Medium; requires good pretexting and OSINT, little malware knowledge.

Reuters and other reports linked Scattered Spider to social engineering against MGM and Caesars; subsequent warnings for retailers and aviation re-emphasized the abuse of helpdesks and MFA resets. 

Supply chain phishing

Attacker compromises a vendor, MSP, or SaaS provider and uses that trusted relationship for secondary attacks; goal is scale, credibility, and access to multiple clients.

Valid vendor mailbox but unusual content; vendor asks for a new login or file; staff trusts the sender too quickly; shared tenants or admins.

Medium to high; requires supplier compromise or abuse of support chains.

Twilio was compromised via SMS phishing; this secondarily affected customer organizations like Signal, carrying supply-chain impacts. Wired also described similar third-party impacts at DoorDash and Mailchimp [1].

Device code phishing

Attacker sends a real Microsoft device code and prompts victim to log in via a legitimate Microsoft page; victim effectively authorizes the attacker's device; result is token-based access without password theft.

Device-code login event; legitimate Microsoft page, but originating from a suspicious initiation channel; long-lived access and refresh tokens.

Low to medium thanks to ready-to-use kits.

The FBI warned in May 2026 of Kali365, which used exactly this mechanism to take over Microsoft 365 accounts and capture OAuth tokens [11].

Attack Technique

Relevant Annex A Controls

Minimum SME Baseline

Highly Recommended Enhancements

Common Mistake

Credential harvesting

A.6.3 awareness; 

A.8.5 secure authentication;

A.8.15/A.8.16 logging/monitoring; 

A.5.24-A.5.26 incident management

MFA for all (cloud) accounts; blocking legacy auth; email report button; logging of sign-ins and mailbox rules; reset and token revocation process

FIDO2/passkeys for admins and finance; CA policies; mailbox rule alerts; suspicious impossible-travel review

"MFA is on" without knowing which methods, fallbacks, and exceptions are active

Malware via attachments/links

A.8.7 protection against malware; 

A.8.23 web filtering; A.8.15/A.8.16

Defender/EDR, attachment sandboxing or secure email filter, blocking risky files where possible, browser and Office hardening

Application control, macro policies, RMM detection, DNS/web filtering on (roaming) devices

Counting only antivirus, but having no EDR, no browser/web controls, and no block policy for unusual file types

MFA fatigue

A.8.5 secure authentication; 

A.6.3 awareness

Push notifications only with number matching or similar verification; rate-limiting; helpdesk instructions for MFA issues

FIDO2/passkeys for admins and sensitive roles; disabling weak methods like SMS where possible

Rolling out push MFA without number matching or user agreements

AiTM/phishing proxies

A.8.5, 

A.8.15/A.8.16, 

A.8.23, 

A.5.7 threat intelligence

MFA plus login and session logs; anomalous browsers/locations review; URL click protection

Phishing-resistant authentication; token protection where supported by platform; stricter CA policies

Believing that standard MFA on its own solves AiTM

OAuth consent phishing

A.5.15-A.5.18 identity/access; 

A.8.15/A.8.16; 

A.5.24-A.5.26

End users should not be allowed to freely grant high-risk app consents; log app registrations and grants

Admin consent workflow; periodic review of enterprise apps and Graph permissions

Only looking at passwords, completely ignoring app permissions and tokens

QR phishing

A.6.3, 

A.8.23, 

A.8.5

Mobile awareness specifically for QR codes; email filters checking QR in PDFs where possible; instructing users not to log in via QR

MDM/mobile threat defense for risky profiles; secure mobile browsers

Focusing training exclusively on visible links in emails

BEC/invoice fraud

A.6.3; A.5.14 information transfer; 

A.8.15/A.8.16; 

A.5.24-A.5.26

Four-eyes principle on account changes and urgent payments; callback procedure to a known number; mailbox logging

Detection of anomalies in correspondence, strictly enforcing DMARC/SPF/DKIM, stronger segregation of duties in finance

Relying on "the email looked legitimate" without independent verification

Spear phishing/CEO fraud

A.6.3, A.5.10 acceptable use, 

A.5.14, A.8.15/A.8.16

Protected process steps for HR, finance, management, and IT; no exceptions for "urgent requests from management"

Extra identity controls for management and finance; executive monitoring and VIP protection

Having clear processes, but allowing management to work outside of them

Helpdesk/social engineering

A.5.2 roles/responsibilities; 

A.5.17 authentication information; 

A.8.5; A.5.24-A.5.26

Service desk must never reset credentials based solely on knowledge questions or caller ID; resets via a separate verification step

Verbal passphrases or identity proofing, break-glass procedures, call recording and review

Viewing the helpdesk as merely "operational" rather than a security control

Supply chain phishing

A.5.19-A.5.23 supplier and cloud controls; 

A.8.15/A.8.16; A.5.24-A.5.26

Supplier access register; MFA and least privilege for MSPs (or JIT access); contractually mandate incident reporting

Review of vendor mail flows, restricting delegated admins, JML process for supplier accounts

Giving full tenant admin rights to a supplier without logging, review, or contractual obligations

Control Area

What auditors too often settle for

What they should actually ask

Strong Evidence

Awareness and training

Attendance list, e-learning certificates, single click rate

Are finance, HR, management, and the service desk trained separately? Do sessions cover QR, phishing, OAuth, and BEC? Is there behavioral follow-up?

Role-specific training content, reporting on user submissions, lessons learned from real alerts

Email security

"SPF/DKIM/DMARC is turned on somewhere"

Is DMARC set to reject/quarantine or monitor-only? Are lookalike domains, display name spoofing, and external senders flagged?

Identifiable mail policies, screenshots or exports of mail configuration, DMARC reporting

Web filtering

"Browser has safe browsing enabled"

Is filtering enforced outside the office or on roaming devices? Are new and unknown domains, file-sharing services, and phishing categories blocked?

Policy overviews, block logs, incident or test examples

Anti-malware and endpoint

Antivirus present

Is EDR deployed? Are scripts, LNK/HTML smuggling, unusual remote tools, and child processes monitored?

EDR configuration, detection rules, incident tickets, block events

MFA and conditional access

"MFA mandatory"

Which methods are allowed? Is SMS still active? Is number matching enabled? How does account recovery work? Who is authorized to reset MFA methods?

Exports of authentication methods, CA policies, service desk runbooks, logs of method changes

Logging and monitoring

SIEM license or "logging is enabled"

Are mailbox rules, OAuth grants, sign-ins, new devices, app consents, and forwarding rules logged and reviewed? How long are logs kept?

Retention periods, actual log events, queries, alert rules

Incident management

A written procedure

Can you quickly revoke tokens, remove mailbox rules, isolate account compromise, and engage suppliers? Have you ever run a tabletop drill for AiTM/BEC?

Drill reports, incident files, post-incident actions

Supplier management

Standard NDA or general SLA

Which suppliers have access to your tenant? How are delegated admin rights restricted? What is the reporting window and response time in case of a breach?

Supplier register, contract clauses, access reviews, admin role list

Priority

What to set up

Why first

Concrete Minimum Result

Immediate

Clean up MFA

Weak MFA is a cosmetic control

No legacy auth; no SMS for admins/finance; push notifications with number matching only; documented reset flow

Immediate

Enable usable email and identity logging

Without logs, there is no detection and no incident response

Sign-in logs, mailbox rules, forwarding, app consent, and method changes must be demonstrably available

Immediate

Harden finance and executive processes

BEC can cause damage without any visible system breach

Mandatory callback for bank account changes or urgent payments; four-eyes principle

Immediate

Tighten service desk identity verification

The helpdesk is a major attack surface

No resets or device enrollments based solely on caller ID or HR knowledge questions

Short term

Improve email security and web filtering

Reduction of volume and click-through options

Enforce DMARC, flag external senders, implement URL/attachment protection, DNS/web filtering active outside the office

Short term

Deploy proper endpoint protection

Otherwise, attachment and tool abuse won't stop at the inbox

EDR with basic controls for scripts, LNK files, HTML smuggling, and remote admin tools

Medium term

Manage app consent and cloud access

OAuth consent and token abuse bypass password-centric defenses

End users must not be allowed to grant high-risk app permissions on their own

Medium term

Restrict vendor and MSP access

Supply-chain phishing multiplies threat impact

Supplier registry, least privilege, dedicated admin accounts, log reviews

Ongoing

Reposition user awareness

Training must support technical defenses, not replace them cosmetic-only

Role-specific mini-sessions, measuring reporting rates, including QR/vishing/OAuth scenarios

Ongoing

Practice phishing incident response

Phishing is only resolved after containment and token cleanup

Drill scenarios for mailbox takeover, BEC, and OAuth consent including token-revoke actions

Timeline

Practical Checklist

Within 30 days

Inventory all active MFA methods; disable legacy auth; document who is authorized to reset accounts and MFA; activate logging for sign-ins, mailbox rules, and app consent; implement a callback procedure for bank account modifications and urgent payments.

Within 90 days

Flag external emails, improve DMARC, set up URL and attachment protection, deploy EDR on all managed endpoints, restrict user consent for cloud apps, review MSP and supplier access roles, draft a brief playbook for mailbox compromise and token revocation.

Within 180 days

Migrate sensitive roles to phishing-resistant authentication like FIDO2/passkeys where viable, run a helpdesk voice-phishing (vishing) drill, simulate a BEC scenario, test if logs are actually usable during a tabletop or practical test, and integrate lessons learned into your ISMS.