By deploying phishing tools that bypass passwords entirely, attackers are mechanically hijacking active session tokens to neutralize standard multi-factor authentication. This invisible access transforms trusted Microsoft environments into launchpads for business email compromise, allowing threat actors to manipulate corporate supply chains and authorize fraudulent payments from verified internal accounts. The immediate threat is no longer simple data theft, but the weaponization of established corporate trust. Here is how this exploit changes the baseline for enterprise risk and the defensive pivots required next.
The FBI has issued a public warning regarding a new phishing tool that allows cyber attackers to hijack Microsoft 365, Outlook, and Teams accounts without requiring user passwords. By capturing active session tokens, this exploit bypasses standard multi-factor authentication entirely. This development neutralizes the primary defensive layer most organizations rely on, granting attackers invisible, authenticated access to enterprise environments.
Once inside these trusted ecosystems, threat actors leverage verified internal accounts to execute business email compromise campaigns. This access allows them to manipulate corporate supply chains and authorize fraudulent payments while appearing as legitimate users. The baseline for enterprise risk has fundamentally shifted, as the weaponization of established corporate trust renders traditional password-centric security models obsolete.
The immediate concern is how quickly this token-theft capability will proliferate among cybercriminal syndicates. As attackers refine these exploits, the emerging risk hinges on whether enterprise defenders can pivot from relying on initial login friction to implementing continuous session monitoring before these tools become standard fixtures in the cyber underground.
Get the complete cross-vector breakdown, risk assessment, and actionable intelligence.
Join ESM Insight →