SMB Cyber Intelligence Brief: Microsoft 365/Azure account abuse and supply-chain ripple risks

Today’s look-out: Cloud identity abuse and supplier/supply-chain knock-on scams

What to look out for today

Today’s theme is trust being abused: attackers using legitimate Microsoft 365/Azure features to steal data, and criminals attempting to make malware look trustworthy by getting it “signed”. At the same time, supplier and developer-tool incidents remind us that breaches can ripple into customers via tokens, extensions, and third-party components.

Microsoft 365/Azure data-theft attempts that leverage legitimate apps and admin features (including password reset/self-service flows).
“Signed” malware and ransomware delivery: Microsoft says it disrupted a service that abused its signing platform to help criminals make malware appear legitimate.
Supplier/dev-tool knock-on risk: GitHub reports thousands of repos breached via a malicious VS Code extension; Grafana attributes its breach to a missed token rotation after a supply-chain incident.

Why this matters to smaller businesses

SMEs rely heavily on Microsoft 365, cloud admin tools, and third-party SaaS. If attackers can gain access using normal-looking sign-ins, “approved” apps, or trusted-looking signed files, it can bypass the usual gut-checks staff and even IT teams rely on. Separately, supplier incidents can drive follow-on scams (fake support calls, “we need you to re-auth” emails) and can also expose credentials/tokens that grant access to business data.

Warning signs

Unexpected password reset or account recovery notifications, especially for admin or finance users.
New or unusual consent prompts for Microsoft 365 apps (e.g. an app requesting broad access to mail/files).
Unfamiliar sign-in locations, impossible travel alerts, or sign-ins at odd hours.
Staff receiving “Microsoft/IT support” messages urging urgent action to “restore access”, “re-verify”, or “approve a login”.
Reports of new developer tools/extensions installed without a clear business need (especially on machines that can access code, scripts, or production admin consoles).

How attackers may exploit the situation

Account takeover and data theft by abusing legitimate Microsoft 365/Azure applications and administrative features, making activity blend in with normal operations.
Social engineering follow-ups after widely reported cloud/supplier news: attackers impersonate vendors to trick staff into sharing MFA codes, approving prompts, or granting app access.
False sense of safety from “signed” files: criminals try to make malware appear trustworthy to users and some security controls.
Supply-chain entry points via tokens, extensions, or third-party scripts/components that can be abused to reach internal systems or data.

What to do today

Brief staff (5 minutes): no one should approve unexpected MFA prompts, password resets, or app consent requests. Route to IT via a known contact method.
Check Microsoft 365 for risky changes: newly consented apps, new admin accounts, and unusual sign-ins (prioritise admins and finance).
Reduce extension and tooling risk: ensure only approved browser/VS Code extensions are allowed on work devices used for admin, finance, or production access.
Token/secret hygiene: confirm any shared admin accounts and automation tokens are tracked, rotated, and least-privilege.
Prepare for supplier-themed scams: remind reception/helpdesk/finance how to verify vendor contacts and requests.

Ask your IT provider

How are we monitoring for unusual Microsoft 365/Azure sign-ins and new app consents (especially high-privilege permissions)?
Do we have MFA-resistant controls for admin accounts (and are we blocking repeated push prompts or risky sign-in patterns)?
What’s our policy for developer tools and extensions (VS Code, browser add-ons) on work devices—can we restrict to an allow-list?
How do we manage and rotate automation tokens/secrets and ensure old tokens are invalidated after incidents or supplier alerts?
If a supplier breach affects us, what is our playbook (who is notified, what gets reset, what logs are checked)?

Patch watch - only one short paragraph, and only if relevant

If your website or intranet runs on Drupal, pay attention to today’s announced core security release and plan a prompt, controlled update window. The key SME focus is business disruption: rapid public attention around major platforms can increase opportunistic scanning and break-in attempts shortly after releases.

One action today

Send a same-day internal note: “Do not approve unexpected Microsoft login/MFA or app permission prompts—report them to IT immediately,” and ask IT to review newly consented Microsoft 365 apps for admin and finance users.

Related Actions On Cyber resource

CTA: Actions On Cyber checklist — “Microsoft 365 account takeover: quick checks for owners and office managers”

Sources

Microsoft Self-Service Password Reset abused in Azure data theft attacks (BleepingComputer)
Cybercrime service disrupted for abusing Microsoft platform to sign malware (BleepingComputer)
Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks (The Hacker News)
GitHub confirms breach of 3,800 repos via malicious VSCode extension (BleepingComputer)
Grafana breach caused by missed token rotation after TanStack attack (BleepingComputer)
Drupal critical update to fix bug with high exploitation risk (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.