4 min read
Best Microsoft Copilot Frontier Features to Test First
The Copilot that frustrated your early testers is not the Copilot Microsoft is shipping through Frontier. Excel handles hundreds of thousands of...
3 min read
Nicole Walker
:
Updated on June 16, 2026
Token theft and phishing attacks in Microsoft 365 are increasing fast. Over half of surveyed organizations reported a breach in the past year.
Attackers are using techniques like session token harvesting to bypass multi-factor authentication (MFA) and exploit gaps in email filtering and domain authentication.
Preventing these attacks requires a layered approach that includes advanced email security, managed device policies, phishing-resistant authentication, and properly configured domain records and app permissions.
In this episode of the Demystifying Microsoft podcast, host Nathan Taylor (SVP, Global Microsoft Practice Leader at the Sourcepass MCOE) and guest Nick Ross (CEO, CloudCapsule) explore the evolving landscape of token theft and phishing in Microsoft 365, offering insights and examples to help organizations strengthen their security posture and prevent business email compromise.
Attackers are bypassing multi-factor authentication in Microsoft 365 by stealing session tokens during login flows, that look legitimate. These tokens act as digital keys. They give attackers access to accounts even after MFA is completed. Once inside, attackers can maintain access, move across accounts, and launch further attacks without triggering standard security alerts.
Tools like Evil Jinx simulate real logins and replay stolen tokens. This allows attackers to avoid detection and take advantage of gaps in account and email security.
Microsoft 365 offers several layers of defense:
Routing email through third-party MX filters like Proofpoint, Mimecast can break Microsoft’s security chain. It disrupts SPF, DKIM, and TLS validation, which reduces Microsoft’s ability to detect and block malicious emails. API-based filtering is often a better option because it keeps the full security telemetry intact.
DMARC, SPF, and DKIM records verify who is sending email from your domain. When configured correctly, they prevent spoofing and phishing. Many organizations leave DMARC set to "none", which does not block spoofed email.
Stronger settings include:
Quarantine sends suspicious messages to junk
Reject blocks spoofed messages entirely
Domain authentication issues are often not visible until something breaks or a spoofing attack occurs. Many organizations assume these records are configured correctly without ever validating them.
Run a quick scan below to check your domain's authentication setup.
If your results show gaps or weak enforcement, those misconfigurations can reduce how effectively Microsoft 365 detects and block phishing attempts.
API-based filtering is preferred to maintain Microsoft’s security telemetry. MX-based filtering can disrupt key protections and break authentication chains.
Rogue apps are unauthorized applications with mailbox access, often used for data exfiltration and launching internal phishing campaigns.
Immediately revoke compromised tokens, reset passwords, audit app registrations, and review sign-in logs. Follow Microsoft’s incident response playbook for containment and remediation.
Microsoft 365 E5 and P2 licenses offer advanced risk detection, automated attack disruption, and enhanced monitoring capabilities.
Microsoft 365 security is evolving fast, and attackers are adapting just as quickly. Layered email protection, managed device policies, advanced authentication, and domain controls are all essential for reducing risk and maintaining business continuity. Staying informed about emerging threats and acting on these steps helps organizations build a stronger security posture that protects data and operations.
For ongoing updates and insights on Microsoft 365 security, subscribe to the Demystifying Microsoft podcast.
If you have questions about how these security strategies could impact your organization or want to discuss options for deploying advanced protections, connect with a Sourcepass Center of Excellence for Microsoft expert today.
4 min read
The Copilot that frustrated your early testers is not the Copilot Microsoft is shipping through Frontier. Excel handles hundreds of thousands of...
5 min read
The most dangerous Microsoft 365 attack right now is the one that does not look like an attack.
5 min read
Attackers no longer need a password to take over a Microsoft 365 account. They just need a session token, and they are getting it after users...
1 min read
Email remains one of the most common ways attackers gain access to organizations. DNS, SPF, DKIM, and DMARC serve as identity checks that verify...
1 min read
Attackers don’t just target users anymore. They exploit the gaps in the infrastructure that moves email across the internet. Encryption in transit...
1 min read
Most IT leaders already know email is the primary attack vector. You see it every day through phishing attempts, spoofed domains, and impersonated...