Phishing Campaigns Exploit MFA Workflows and Internal Email Trust, Targeting Enterprises in 2025
What Happened — In 2025 attackers shifted phishing tactics toward multi‑factor authentication (MFA) workflows, using compromised credentials to launch “cascaded” phishing attacks from trusted internal accounts. They also abused Microsoft 365 Direct Send to spoof internal devices, delivering convincing lures without ever compromising a real mailbox.
Why It Matters for TPRM —
- MFA‑centric phishing bypasses traditional password‑only defenses, raising the risk profile of any third‑party that relies on MFA for access.
- Spoofed internal emails erode trust in supply‑chain communications, increasing the likelihood of credential or token theft from vendors and partners.
Who Is Affected — All industries that employ MFA and Microsoft 365 for collaboration, especially SaaS providers, MSPs, and IAM vendors.
Recommended Actions —
- Verify that MFA implementations enforce phishing‑resistant methods (e.g., FIDO2, hardware tokens).
- Harden Microsoft 365 Direct Send settings and enforce strict sender authentication for internal devices.
- Conduct phishing‑simulation training that includes internal‑spoof scenarios and MFA‑token awareness.
Technical Notes — Attack vector: phishing emails (including internal Direct Send spoofing) → credential compromise → MFA token harvesting. No specific CVE cited. Data at risk includes privileged credentials, SSO tokens, and downstream service access. Source: Cisco Talos Intelligence