The FBI recently warned that hundreds of organisations across financial services, manufacturing, healthcare and government have had their Microsoft 365 accounts compromised since April 2026, according to a public advisory. Every one of them had MFA turned on.
The attack MFA was never designed to stop
Kali365 doesn't steal passwords or intercept MFA codes. It tricks someone into completing a real Microsoft login on behalf of the attacker's device. The victim receives a phishing email impersonating a familiar cloud service, follows a link to a real Microsoft login page and enters a short code. When they complete their usual MFA challenge, Microsoft issues an access token to the attacker, not to them. The authentication worked exactly as designed, and nothing was stolen or bypassed.
After that the attacker is inside email, chat and file storage with no further authentication required.
By the time IT flags it, AP has already paid
The account compromise is how attackers get in. The payment is what they came for.
With access to a real inbox, an attacker can read months of AP correspondence, watch active vendor conversations in real time and intercept invoices before they reach the person approving payment. They can create inbox rules that redirect mail or suppress fraud alerts so the account owner sees nothing unusual. Most finance teams find out when a payment has already cleared to the wrong account.
That's what makes this harder to catch than most business email compromise (BEC) because there is no fake domain, no spoofed address and no forged sender to detect. The attacker is in the real account with the real conversation history. The email looks right because it is right. The only thing wrong is who is reading it.
The one control that sits outside email
By the time a fraudulent payment request reaches AP, the email environment has already been compromised. The question is what sits between that request and the payment going out.
Confirm every vendor bank detail change through a channel that isn't email. A phone call to a number already on file with that contact, made before any update is processed. Not a reply to the existing thread, not Teams, not any channel that runs through the same compromised environment. The request may arrive inside a real conversation with a vendor your organisation has paid for years. That is exactly the scenario this attack is built for.
Ask IT to alert on new inbox rules created shortly after an authentication event. Attackers set these up to redirect mail or suppress security notifications, and they are one of the clearest indicators that an account has been taken over. For a broader look at how to respond when BEC has already occurred, the BEC incident response guide covers the immediate steps finance teams should take.
Payment verification that happens independently of email works here precisely because it operates outside the channel the attacker controls. To see how Eftsure addresses payment risk when email can no longer be trusted, book a demo.
