Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Today’s SME cyber look‑out: Microsoft 365 device‑code phishing (account takeover) + “in the wild” NGINX exploitation risk

What small and medium-sized businesses should look out for today.

High Sunday 17 May 2026, 16:45 UK time
Today’s look-out: Cloud account takeover phishing and internet‑facing web service disruption

What to look out for today

  • Microsoft 365 “device-code” phishing: emails or messages that try to get a staff member to enter a short code on a genuine Microsoft sign-in page (often framed as “secure login”, “update access”, “new Teams/SharePoint document”, or “verify your account”).
  • Unexpected Microsoft 365 sign-in prompts and new device registrations that staff don’t recognise.
  • Website or portal instability (errors, worker crashes, unexplained restarts) if your organisation runs NGINX or relies on a supplier that does.

Why this matters to smaller businesses

For many SMEs, Microsoft 365 is the front door to email, invoices, customer data and internal documents. A successful account takeover can quickly lead to:

  • Invoice/payment diversion (attackers replying from a real mailbox).
  • Payroll/HR data exposure and social engineering of staff.
  • Wider compromise via password resets and access to other SaaS tools.

Separately, reports of active exploitation affecting NGINX matter because SMEs may run it directly (website, reverse proxy) or be indirectly exposed through hosting providers, web agencies, ecommerce platforms, and managed IT/security services.

Warning signs

  • Emails telling staff to visit a Microsoft page and enter a code to “continue signing in”.
  • Messages using tracking/click-protection style links that redirect through a third party before landing on Microsoft.
  • Staff report “I didn’t request this sign-in”, “I got a login code I didn’t ask for”, or repeated authentication prompts.
  • Mailbox rules created or changed unexpectedly (e.g., forwarding, hiding messages, moving finance emails to archives).
  • Web services showing unusual instability: repeated restarts, spikes in errors, or unexplained downtime.

How attackers may exploit the situation

  • Device-code phishing can trick a user into authorising a sign-in on a legitimate Microsoft page, which may bypass some of the usual “fake login page” tell-tales.
  • Once inside Microsoft 365, attackers often target finance and supplier conversations, then send believable payment-change requests from the compromised account.
  • For NGINX, attackers may target internet-facing services to cause disruption and, in worst cases, attempt deeper access—meaning your exposure can be direct (your server) or via a supplier’s infrastructure.

What to do today

  • Warn staff (especially finance/admin): Microsoft will never ask you to type a “device code” from an email into a sign-in page to view a document or fix a mailbox issue.
  • Require stronger sign-in controls for Microsoft 365 (MFA and conditional access where available) and ensure staff know how to report suspicious sign-in prompts immediately.
  • Review mailbox forwarding and rules for finance and senior leadership accounts (and investigate anything new or unexplained).
  • Check key suppliers (web host, ecommerce provider, MSP) for any service advisories or unusual instability today, and ensure you have a clear escalation route if a portal goes down.

Ask your IT provider

  • Are we seeing device-code phishing attempts against our Microsoft 365 users, and do we have an agreed process for rapid account lockout and session revocation?
  • Do we have alerting for suspicious Microsoft 365 activity (new sign-ins, unusual locations, new inbox rules, forwarding, OAuth/app consent changes) for priority accounts?
  • Do we (or any critical supplier we depend on) run NGINX on internet-facing systems, and have we confirmed mitigations/updates and monitoring are in place?
  • If our email or website is disrupted, what’s our business continuity fallback (alternate contact route, invoice approval process, customer comms plan)?

Patch watch - only one short paragraph, and only if relevant

There are reports of active exploitation affecting NGINX (CVE-2026-42945). Even if you don’t run servers yourself, ask your website/hosting/MSP suppliers to confirm whether they use NGINX in your service path and what they’ve done to reduce risk and monitor for abnormal crashes or exploitation attempts.

One action today

Send a same-day staff note: “Do not enter ‘device codes’ from emails/messages into Microsoft sign-in pages—report it immediately,” and have IT review forwarding/rules on finance and leadership mailboxes.

Related Actions On Cyber resource

CTA: Actions On Cyber – Phishing reporting & invoice fraud (payment change) checklist

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.