Threat Bulletin

Microsoft Entra ID was silently skipping Conditional Access policy evaluation for OIDC-scope sign-ins when resource exclusions were present. As of June 15, 2026, enforcement has changed. Tenants need to audit CA policies and test affected apps now.

The FBI and Microsoft are warning about Kali365 device code phishing attacks targeting Microsoft 365 tenants through OAuth token theft and Device Code Flow abuse. Learn how to reduce exposure using Conditional Access controls and authentication hardening.

Attackers abuse Microsoft 365 Direct Send to deliver spoofed internal emails without authentication, bypassing user-based protections and enabling high-confidence phishing.

ConsentFix abuses Microsoft OAuth to steal access tokens without credentials or MFA, bypassing conditional access.

APT29 (Midnight Blizzard) targeted Microsoft 365 using password spraying and OAuth app abuse, compromising senior accounts at Microsoft. Conditional Access hardening and app consent controls reduce exposure.

A Microsoft Teams vulnerability allows external tenants to deliver malware to organisations running default external access settings. Severity HIGH. Fix takes 1-2 minutes.

Attackers configure email forwarding rules in Microsoft 365 mailboxes to silently exfiltrate data after gaining initial access. A common persistence technique detected and blocked by Overe.

Storm-0558: Chinese APT actors forged Microsoft signing keys to access Microsoft 365 and Azure services, forge authentication tokens, and compromise email accounts. Affects apps using Microsoft account authentication.

APT41 targets Microsoft 365 environments with spearphishing emails using malicious file attachments, including compiled HTML (.chm) files, to compromise users and gain persistent access. Protected by Overe.

Adversaries are utilizing Microsoft Teams as a delivery channel for malware. This attack leverages deceptive Microsoft Teams chat messages sent from compromised Office 365 accounts to encourage victims to download malicious files, effectively bypassing existing security measures.