Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Today’s SME cyber lookout: vishing-led cloud account takeovers and software supply-chain risks

What small and medium-sized businesses should look out for today.

High Friday 15 May 2026, 21:39 UK time
Today’s look-out: Vishing extortion, session-token theft, and supplier/software supply-chain risk

What to look out for today

Three themes SMEs should actively watch today:

  • “Helpdesk” voice calls (vishing) leading to cloud account takeover — attackers are using convincing phone calls to push staff into approving sign-ins or handing over login steps, then moving into Microsoft 365/Okta and stealing data for extortion.
  • Session theft (stolen browser tokens) rather than passwords — malware can steal logged-in sessions, letting criminals access email and SaaS even when MFA is enabled.
  • Software supply-chain risk — a widely used npm package has been reported compromised to steal credentials, which matters if you build software, use web agencies, or have apps maintained by third parties.

Why this matters to smaller businesses

  • M365 and SaaS are your business: email, files, finance workflows and client data live in the cloud. A single stolen session can mean immediate access without “breaking in”.
  • Phones are trusted: staff often treat a confident caller as “internal IT” or “Microsoft support”, especially when busy.
  • Suppliers write your code and run your sites: even if you don’t develop in-house, your website/CRM integrations and internal tools may depend on third-party components.

Warning signs

  • Unexpected calls claiming to be IT/helpdesk, your MSP, Microsoft, or your identity provider, urging urgent action “to stop an attack”.
  • Pressure to read out codes, approve MFA prompts, or visit a link while on the phone.
  • Staff report being asked to install “remote support”, “security tools”, or to sign in to a page the caller provides.
  • Sudden account lockouts, new sign-in notifications, new MFA prompts, or users being asked to re-authenticate repeatedly.
  • Unexplained new inbox rules, forwarding set up, or shared mailbox changes.

How attackers may exploit the situation

  • Vishing + SSO compromise: the caller guides a user through a login flow designed to capture access and then pivots into Microsoft 365/Okta environments.
  • Adversary-in-the-middle style sign-in capture: instead of “cracking” passwords, criminals trick users into signing in in a way that hands over access.
  • Session/token theft: infostealer malware can grab browser sessions so criminals inherit access to email, files, and SaaS without needing the password again.
  • Compromised software components: malicious updates to common development packages can introduce credential theft into internal apps or build pipelines at suppliers.

What to do today

  • Run a 10-minute staff message: “No IT/support will ever ask you to read out codes, approve an unexpected MFA prompt, or click a link while you’re on the phone. Hang up and call back via a known number.”
  • Set a clear callback rule for finance/admin and customer-facing teams (reception, office managers) who are most likely to get these calls.
  • Check your cloud login alerts: ensure sign-in notifications are enabled and being monitored (especially for admin accounts).
  • Confirm your MSP/helpdesk process: how they verify identity over the phone, and how they would handle a suspected account takeover.
  • If you use developers/agencies: ask them whether they are checking for compromised dependencies and how quickly they can respond to supply-chain alerts.

Ask your IT provider

  • What is our procedure for suspected vishing (hang up, verify, isolate, reset sessions/tokens)? Who do staff contact?
  • Do we have conditional access / sign-in risk controls for Microsoft 365/Okta users, especially admins?
  • Can you force sign-out / revoke sessions quickly if a browser session is stolen?
  • How are we monitoring for new inbox forwarding rules and suspicious mailbox access?
  • For any in-house or supplier-built apps: how do you manage third-party dependency risk (e.g., npm packages) and detect malicious updates?

Patch watch - only one short paragraph, and only if relevant

CISA has flagged an exploited Microsoft Exchange Server cross-site scripting issue in its known-exploited list. If you (or your IT provider) run Exchange on-prem, treat this as a prompt to confirm you’re on a supported, maintained setup and that your provider is actively tracking exploited issues that could lead to account compromise or data exposure.

One action today

Send a same-day staff note: “If anyone phones claiming to be IT/Microsoft/MSP and asks you to approve an MFA prompt, read out a code, or click a link—hang up and call back using a known internal number.”

Related Actions On Cyber resource

CTA: Use the Actions On Cyber “Stop Phone-Based Account Takeover (Vishing) – Staff Script & Callback Checklist” for reception, admin and finance teams.

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.