M365 Threat Landscape: Identity Attacks, AiTM, BEC, Token Theft

Understanding what you're defending against

Incident response strategy follows the threat landscape. The playbooks you build, the evidence sources you configure, the containment actions you prepare, and the detection rules you deploy all depend on knowing what attackers actually do to M365 environments. This section covers the current threat data: what the attacks are, how prevalent they are, how they chain together, and what they mean for your IR capability.

The data in this section is drawn from the Microsoft Digital Defense Report 2025, the FBI IC3 2025 Annual Report, the IBM X-Force 2025 Threat Intelligence Index, the Verizon 2025 Data Breach Investigations Report, Mandiant's M-Trends 2026 report, and Proofpoint's threat research. These sources represent the most comprehensive view of what's hitting M365 environments right now.

Identity attacks: the volume problem

Microsoft processes over 600 million identity attacks against M365 environments every day. That number surged 32% in the first half of 2025 alone. The volume is staggering, but the composition is what matters for IR planning.

Ninety-seven percent of those attacks are password-based: credential stuffing, password spraying, and brute force. Password attacks reach over 4,000 per second against Microsoft's identity infrastructure. Most fail. MFA blocks over 99% of identity-based attacks when properly configured and enforced. If your organization has phishing-resistant MFA deployed universally with no exclusions, the password-based 97% is largely handled.

The remaining 3% is where incident response begins. These are the attacks that bypass MFA, succeed against well-configured environments, and produce the compromises you'll investigate throughout this course.

AiTM phishing and token theft

AiTM (Adversary-in-the-Middle) phishing is the dominant technique for compromising M365 accounts that have MFA enabled. The attacker positions a proxy server between the user and the real Microsoft login page. The user enters their credentials on the proxy. The proxy relays them to Microsoft in real time. Microsoft prompts for MFA. The user completes MFA. The proxy captures the session token Microsoft issues after successful authentication. The user sees a generic error page. The attacker has a valid session token that bypasses all further MFA challenges.

Microsoft's 2025 Digital Defense Report attributed 80% of MFA-bypass breaches to AiTM techniques. AiTM phishing increased 146% year-over-year, with nearly 40,000 token theft incidents detected daily across Microsoft environments. Token theft overall accounted for 31% of M365 breaches in 2025, making it the primary attack vector ahead of traditional credential compromise.

The barrier to entry has collapsed. Commodified phishing-as-a-service platforms sell turnkey AiTM capability: Tycoon 2FA, Mamba 2FA, Evilginx, and Sneaky 2FA charge operators $120 to $350 per month. In April 2026, Microsoft disclosed a single AiTM campaign that targeted 35,000 users across 13,000 organizations in 26 countries during a three-day window, using fake "code of conduct" HR notifications as the lure. The campaign used Amazon SES for email delivery and Cloudflare for infrastructure, both legitimate services that complicate blocking.

For IR planning, AiTM means that MFA satisfaction in a sign-in log does not prove the sign-in was legitimate. The sign-in record for an AiTM token replay shows MFA: satisfied, Conditional Access: passed, and risk: none. The only indicators are IP address and location anomalies relative to the user's normal pattern. Module 5 teaches how to identify these replays in the sign-in logs. Module 7 provides the complete AiTM response playbook.

Business email compromise

BEC is the most financially destructive M365 incident type. The FBI's 2025 IC3 Annual Report recorded $3.04 billion in BEC losses from 24,768 complaints, making it the second-highest cybercrime category by financial loss. The average loss per incident exceeds $122,000. The Association for Financial Professionals' 2025 survey found that 63% of organizations experienced BEC in the past year. Over the past decade, cumulative BEC losses exceed $55 billion globally.

Modern BEC has evolved beyond the simple "CEO impersonation" email. The current attack chain typically begins with AiTM credential theft, proceeds through mailbox surveillance (the attacker reads email threads to understand payment patterns and vendor relationships), continues with inbox rule creation to hide replies from the targeted vendor, and culminates in a fraudulent payment redirect sent from the real mailbox, in the real email thread, with the real signature. No email filter catches it because it's a legitimate email from a legitimate sender.

Eighty-six percent of BEC funds move via wire transfer or ACH, meaning the attack lands inside real financial workflows where manual verification processes are the only defense. Phishing losses separately grew 208% year-over-year while complaint volume stayed essentially flat, indicating that individual attacks are becoming more effective rather than more numerous.

For IR planning, BEC investigations require evidence across all four domains: identity (how the account was compromised), email (what the attacker read, what rules they created, what they sent), files (what data was accessed for reconnaissance), and directory (what persistence was established). Module 5 teaches the email forensics. Module 7 provides the BEC response playbook including financial fraud tracing and evidence packaging for law enforcement.

Device code phishing

Device code phishing is the newest identity attack vector targeting M365. It abuses the OAuth 2.0 device authorization grant flow, a legitimate protocol designed for authenticating input-constrained devices like smart TVs and IoT hardware. The attacker initiates a device authorization request, receives a short-lived user code, and tricks the victim into entering that code on Microsoft's legitimate device login page. When the victim authenticates (including completing MFA), the attacker receives a valid access token. No credential-harvesting page is needed. The victim authenticates on Microsoft's real login page.

Proofpoint tracked multiple state-aligned threat actors abusing device code authorization beginning in January 2025, with Russia-aligned actor Storm-2372 among the first identified. By September 2025, Proofpoint observed widespread campaigns using QR codes, embedded buttons, and hyperlinked text to initiate the attack. Financially motivated actor TA2723 adopted the technique by October 2025. The EvilTokens phishing-as-a-service platform launched in February 2026, commoditizing the technique. Since February 2026, Huntress has tracked over 340 organizations targeted across construction, nonprofits, real estate, manufacturing, financial services, healthcare, legal, and government sectors.

Device code phishing is particularly dangerous because there is no lookalike domain, no credential-harvesting form, and no suspicious redirect. The victim interacts only with Microsoft's real authentication page. Traditional phishing defenses based on URL inspection offer no protection.

Microsoft introduced a Conditional Access policy condition specifically to block device code flow in response to this abuse pattern.

For IR planning, device code phishing produces the same end state as AiTM: the attacker holds a valid access token. The investigation and containment methodology is similar. The detection challenge is different because the initial authentication happens on Microsoft's legitimate infrastructure. Module 7 covers the device code phishing response playbook.

OAuth and application abuse

When an attacker compromises a user account, one of the first things they do is establish persistence that survives password resets. OAuth consent grants and malicious app registrations are the primary mechanism. The attacker consents to an OAuth application with permissions like Mail.Read and Files.Read.All, or creates a new app registration with a client secret and application-level API permissions. The resulting service principal authenticates without MFA, without Conditional Access evaluation, and without triggering user-focused detections.

The 2025 CoreView State of M365 Security report found that more than half of enterprises have over 250 Entra ID applications with high-risk read-write permissions, each one a service principal with permissions that may rival a Global Administrator. This pre-existing permission sprawl means the attacker's malicious app hides among hundreds of legitimate integrations.

In June 2025, a flaw in Entra ID's identity assertion logic (dubbed n0Auth) was found that allowed attackers to pivot from compromised SaaS applications into core M365 resources by manipulating a single mail attribute. The flaw, originally identified in 2023, was believed to still impact tens of thousands of SaaS applications as of 2025 because it requires tenant-side remediation that Microsoft cannot push centrally.

For IR planning, OAuth abuse is the persistence mechanism that incomplete investigations miss. An IR team that resets the password, revokes sessions, and removes inbox rules but doesn't audit OAuth consents and service principal credentials leaves the attacker with access. Module 5 teaches service principal sign-in log analysis. Module 6 teaches OAuth remediation. Module 7 covers the complete response playbook.

Ransomware in hybrid and cloud environments

Ransomware has moved into the cloud. Microsoft's 2025 Digital Defense Report found that 40% of ransomware attacks now target hybrid components, up from less than 5% in 2023. The same report recorded an 87% increase in attacks intended to disrupt or destroy data in Azure customer tenants. Microsoft SharePoint was among the most frequently exploited platforms in 2025, with Storm-2603 linked to exploitation of on-premises SharePoint vulnerabilities followed by ransomware deployment.

The M365-specific ransomware patterns include encryption via OneDrive sync client (the attacker encrypts files locally and the sync client propagates the encryption to cloud storage), Teams-based payload delivery (malicious files shared via Teams messages from compromised internal accounts), and cloud-native data destruction (bulk deletion of SharePoint libraries and OneDrive content). IBM X-Force observed that attackers increasingly pivot from M365 identity compromise into Azure infrastructure by exploiting hybrid-identity components like AD Connect, enabling privilege escalation within Entra ID and expanded access to cloud resources.

Globally, claimed ransomware victims increased 58% year-over-year in 2025, with over 7,500 unique organizations listed on public leak sites. The average total cost of a ransomware incident ranges from $1.8 million to $5 million including downtime, recovery, and reputational damage.

For IR planning, ransomware in M365 means the investigation must scope both cloud and endpoint evidence simultaneously. Module 6 covers hybrid containment. Module 7 provides the ransomware response playbook. Module 12 covers advanced hybrid scenarios.

The infostealer economy

The threat categories above don't operate in isolation. They are connected by a supply chain: the infostealer economy. Lumma Stealer was the most prevalent infostealer between October 2024 and October 2025, operating as a malware-as-a-service platform that harvests browser session tokens, stored credentials, and cryptocurrency wallet data from compromised endpoints. This data is sold through dark web forums and Telegram channels to access brokers, who package it and sell to BEC operators and ransomware affiliates.

The FBI's 2025 IC3 report included AI-enabled cybercrime as a category for the first time: 22,364 complaints with $893 million in losses. AI-driven phishing is now three times more effective than traditional campaigns according to Microsoft, producing higher-quality lures at greater scale with less human effort.

The practical implication: the attacker who compromises your M365 tenant may not be the same actor who stole the credential. The infostealer harvested the session token from an employee's compromised personal device. An access broker purchased it. A BEC operator bought access to the mailbox. The attack chain spans multiple actors, and the evidence of the initial credential theft may exist only on the endpoint (which is a FOR501/WF investigation), not in the M365 audit logs. The M365 investigation picks up the trail from the first anomalous sign-in forward.

What this means for your IR capability

The threat landscape shapes the IR capability you need. AiTM and token theft mean your detection must look beyond MFA status in sign-in logs. BEC means your evidence collection must cover email forensics including MailItemsAccessed, inbox rules, and message trace. Device code phishing means your Conditional Access policies need the device code flow block configured before the attack. OAuth abuse means your containment procedures must include app consent and service principal audit. Ransomware in hybrid environments means your IR plan must span cloud and on-premises simultaneously. The infostealer economy means your investigation may start from a credential that was stolen outside M365 entirely.

Each of these threat categories maps to specific modules in this course. The next section covers how IR frameworks (NIST SP 800-61 Rev 3 and SANS) apply to these M365-specific threats.

Section 1.3 maps the IR frameworks to M365 reality.