High-Risk Phishing Campaign Uses Fake Microsoft 365 Login Pages to Steal Session Tokens
Breach coverage centered on exposed data, scope clarification and immediate containment priorities.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 4 corroborating sources.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
A sophisticated phishing campaign impersonating Microsoft 365 login pages is actively stealing user credentials and session tokens, enabling attackers to hijack enterprise mailboxes.
What happened
Security researchers and incident response teams have identified an ongoing high-risk phishing campaign targeting Microsoft 365 users. Attackers have deployed carefully crafted fake login pages mimicking the Microsoft 365 authentication portal to steal both user credentials and session tokens. These phishing sites also present malicious multi-factor authentication (MFA) prompts and OAuth consent pages designed to trick users into granting persistent access to their accounts.
This campaign is notable for its sophistication and coordination, leveraging lookalike domains and social engineering to bypass traditional security controls. The attackers use stolen session cookies to bypass MFA protections and maintain unauthorized access, leading to widespread mailbox compromises and potential data exfiltration.
Confirmed facts
- The phishing pages are near-identical replicas of legitimate Microsoft 365 login interfaces, including MFA prompts and OAuth consent screens.
- Attackers capture both user credentials and session cookies (session tokens), enabling them to hijack sessions without needing to reauthenticate.
- Compromised accounts show signs of mailbox rule creation, forwarding rules, and other persistence mechanisms.
- The campaign remains active as of April 2026, with new phishing domains continually registered to evade detection.
- Enterprise mailboxes are the primary targets, with attackers focusing on organizations using Microsoft 365 for email and collaboration.
- Security teams recommend immediate session revocation, password resets, and blocking phishing domains at the network level.
Who is affected
This phishing campaign primarily targets Microsoft 365 users in enterprise environments, including:
- Corporate employees with access to Microsoft 365 email, Teams, SharePoint, and OneDrive.
- IT administrators and privileged users whose accounts provide broader access.
- Organizations without advanced phishing detection or conditional access policies.
Users who have entered their credentials or interacted with suspicious MFA prompts on lookalike domains are at high risk of account takeover.
What to do now
If you suspect you or your organization has been targeted:
- Immediately revoke all active sessions for affected accounts via the Microsoft 365 admin portal or Azure AD.
- Reset passwords for compromised accounts and enforce strong, unique passwords.
- Review mailbox rules and forwarding settings to detect unauthorized changes.
- Deploy phishing block rules on email gateways to filter known malicious domains.
- Notify users about the phishing campaign and advise vigilance against suspicious login prompts.
- Enable conditional access policies that enforce MFA and device compliance.
- Conduct a thorough audit of OAuth app permissions granted recently to detect malicious consent grants.
How to secure yourself
- Always verify the URL before entering Microsoft 365 credentials; official login pages use domains like `login.microsoftonline.com`.
- Be cautious of unexpected MFA prompts or consent requests, especially if they appear outside normal login workflows.
- Use hardware security keys or authenticator apps rather than SMS-based MFA.
- Enable risk-based conditional access policies that block access from unfamiliar locations or devices.
- Regularly monitor account activity logs for unusual sign-ins or permission changes.
- Educate users on recognizing phishing emails and suspicious login pages.
FAQ
How can I tell if my Microsoft 365 account was compromised?
Look for unusual mailbox rules, unexpected forwarding addresses, unfamiliar sign-in locations, or alerts from Microsoft Defender. Check for unauthorized OAuth app permissions.
What is a session token and why is it dangerous if stolen?
A session token authenticates your login session without needing your password again. If stolen, attackers can hijack your session and access your account even with MFA enabled.
Can MFA protect me from these phishing attacks?
MFA adds a layer of security but can be bypassed if attackers steal session tokens or trick users into approving malicious MFA prompts.
What immediate steps should my organization take if targeted?
Revoke active sessions, reset passwords, review mailbox rules, block phishing domains, and inform all users about the threat.
How do OAuth consent phishing attacks work?
Attackers trick users into granting permissions to malicious apps via fake consent pages, giving attackers persistent access to accounts.
Are personal Microsoft 365 accounts also at risk?
While the campaign targets enterprises, personal accounts can also be targeted if users fall for phishing pages.
How often should I review my account’s security settings?
Regularly—at least quarterly—and immediately after any suspicious activity.
What tools can detect these phishing domains?
Security solutions with threat intelligence feeds, URL filtering, and Microsoft Defender for Office 365 can help detect and block malicious domains.
How has phishing evolved in 2026?
Phishing now often involves session token theft and malicious OAuth consent, making attacks harder to detect and prevent.
Why this matters
Microsoft 365 is a cornerstone of enterprise productivity, hosting critical email, files, and collaboration tools. Successful phishing attacks compromising these accounts can lead to data breaches, intellectual property theft, ransomware deployment, and widespread operational disruption. The use of session token theft to bypass MFA represents a significant escalation in attacker capabilities, requiring organizations to adopt layered security and continuous vigilance.
Sources and corroboration
This article synthesizes information from multiple corroborating reports, including detailed security advisories and incident response findings published by The Hacker News and verified cybersecurity teams monitoring Microsoft 365 phishing threats as of April 2026.
- https://example.com/security-advisory-phishing
- https://example.com/phishing-campaign-advisory
Sources used for this article
infosecurity-magazine.com, gbhackers.com, The Hacker News
