Why are compromised Microsoft 365 accounts causing a surge in phishing emails?
Analyzing the March 2026 Phishing Surge
Recent reports indicate a significant rise in phishing activity originating from compromised Microsoft 365 and Entra ID accounts in March 2026. IT administrators are observing patterns reminiscent of cyberattacks from several years ago. Cybercriminals are hijacking legitimate accounts across various sectors, including healthcare facilities and international supply chains. These attacks exploit existing business relationships to bypass initial skepticism.
The attackers utilize a consistent structure to deceive recipients. The malicious emails typically feature a prominent box claiming that new documents are available for viewing or downloading. Alternatively, the attackers embed the malicious link within an attached file to evade basic email security filters. Both methods rely on the recipient trusting the sender’s established email address.
Clicking the link directs the user to a fraudulent login page. This page prompts the victim to enter their Microsoft 365 or Entra ID credentials. Once the user submits this information, the attackers capture the details and use them to compromise the new account, perpetuating the cycle of malicious emails.
Investigations into these incidents highlight a critical security lapse. The compromised accounts frequently lack Multi-Factor Authentication (MFA). Many organizations incorrectly assume that Microsoft enforces MFA by default across all legacy or service accounts. Administrators must actively verify that MFA is enabled and properly configured for every user to prevent unauthorized access. Securing Entra ID identities remains the most effective defense against this escalating threat.