Today’s SMB cyber lookout: MFA-bypass phishing (Microsoft 365) and software supply‑chain traps

Today’s look-out: Phishing that bypasses MFA + compromised developer tooling and cloud/CI secrets

What to look out for today

Keep an eye out for two themes that can hit smaller organisations quickly:

Phishing that “passes” MFA by tricking users into approving sign-ins or app access (including prompts to use device login flows and OAuth consent screens).
Supplier/developer supply‑chain risk: compromised GitHub Actions, malicious npm packages, and a tampered VS Code extension aimed at stealing credentials/tokens used in CI/CD and cloud services.
Breach ripple effects: a large retailer (7‑Eleven) has confirmed a breach claimed by an extortion group, which often leads to copycat phishing and supplier impersonation attempts.

Why this matters to smaller businesses

“We have MFA” isn’t the end of the story. If a user is tricked into approving access, attackers may get mail access, set up forwarding rules, or register their own access without needing the password again.
Outsourced IT and SaaS dependencies mean one stolen admin token, API key, or mailbox session can cascade into payroll fraud, invoice diversion, data theft, and ransomware preparation.
If you use an agency/MSP or have in‑house developers, a compromised build step (e.g., GitHub Actions or npm) can leak secrets that unlock cloud accounts, backups, or production systems.

Warning signs

Users report unexpected messages asking them to “verify”, “secure your account”, or “complete sign-in” using a short code/device login flow.
Unexpected prompts to approve access for an app you don’t recognise (OAuth consent) or unusual MFA prompts when not signing in.
Mailbox oddities: new forwarding rules, unexpected “sent” items, or complaints that staff emails look unusual.
Developer/IT signs: sudden CI/CD failures, workflow changes no one owns, secrets/tokens rotated unexpectedly, or unusual outbound connections during builds.
Increased “supplier breach” emails/texts referencing known brands (e.g., large retailers) to push staff into clicking links or resetting passwords.

How attackers may exploit the situation

MFA-bypass phishing: attackers nudge staff to complete a legitimate-looking sign-in step and approve access, then use that session/token to access Microsoft 365 data.
Business email compromise (BEC): once inside a mailbox, attackers may watch invoice conversations, change bank details, or request urgent payments.
Supply-chain credential theft: compromised GitHub Actions, poisoned npm packages, or a tampered VS Code extension can harvest API keys, cloud credentials, SSH keys, and tokens—then attackers use those to move into your cloud, backups, or customer data stores.
Follow-on extortion: stolen data and admin access can be used to pressure payment, even without traditional ransomware encryption.

What to do today

Brief staff in 3 sentences: “Don’t approve unexpected sign-in/app permission prompts. Don’t follow ‘device login’ instructions from emails/texts. Report anything that asks for urgent account verification.”
Check Microsoft 365 basics: confirm MFA prompts and app-consent requests are monitored; review recent suspicious sign-ins and any new mailbox forwarding rules (especially for finance users).
Protect payments: remind finance that bank detail changes must be verified via a known phone number (not the one in the email).
If you build software or use an agency/MSP: ask for confirmation they are reviewing GitHub Actions usage, npm dependency hygiene, and developer workstation/extension controls after recent supply-chain compromises.
Token hygiene: rotate high-value credentials (finance mailboxes, shared admin accounts, CI/CD secrets) if you see any suspicious prompts or unexplained workflow changes.

Ask your IT provider

Are you monitoring for OAuth consent grants and unusual sign-ins in Microsoft 365, and do we get alerted for suspicious approvals?
Do we have controls to block or limit mailbox auto-forwarding and detect new forwarding rules for finance and senior staff?
If we use GitHub/CI/CD: are workflows pinned and reviewed, and do you have a process to respond to compromised GitHub Actions tags?
How are developer/admin secrets stored and rotated (tokens, API keys), and do you scan for leaked credentials in code repos?
Do you have a standard playbook for suspected business email compromise (freeze payments, check rules, revoke sessions, reset credentials, preserve evidence)?

Patch watch - only one short paragraph, and only if relevant

No specific patch item is the main story today. The bigger takeaway is to reduce reliance on “patching fixes it” by tightening identity controls (app consent and sign-in monitoring) and reviewing software supply-chain exposure (CI/CD workflows, dependencies, and developer tooling).

One action today

Send a same-day staff note: “If you get an unexpected Microsoft sign-in/app permission prompt or a message telling you to enter a code at a Microsoft login page, stop and report it—do not approve it.”

Related Actions On Cyber resource

Actions On Cyber checklist: Business Email Compromise (BEC) & invoice fraud prevention quick checks

Sources

The New Phishing Click: How OAuth Consent Bypasses MFA (The Hacker News)
Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials (The Hacker News)
New Shai-Hulud malware wave compromises 600 npm packages (BleepingComputer)
Leaked Shai-Hulud malware fuels new npm infostealer campaign (BleepingComputer)
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer (The Hacker News)
CISA Admin Leaked AWS GovCloud Keys on Github (Krebs on Security)
7-Eleven confirms data breach claimed by the ShinyHunters gang (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.