The account takeover playbook has changed. Has your defense?

The attacks described in this blog aren't stopped by any single control. They're stopped by a platform that sees across the full chain, from the first suspicious link to post-compromise data movement, connecting the signals that point solutions leave isolated. Closing that gap isn't about adding more controls, it's about connecting the ones you have.

Account takeover succeeds not because security teams aren't paying attention, but because the attack is designed to look like nothing is wrong. A legitimate identity, on a recognized device, from a plausible location. No signature fires. No policy trips. The access looks authorized because, technically, it is.

For a security practitioner, that's the uncomfortable truth at the center of identity security in 2026. The new target is identity itself, and Microsoft 365, as the platform that underpins email, files, calendar, and access management for hundreds of millions of users, sits squarely in the crosshairs. A single compromised account isn't an isolated inbox problem. It's an organizational foothold, and the dwell time before detection gives attackers more than enough room to move.

600 million identity-based attacks a day

The volume of identity-based attacks targeting Microsoft 365 is no longer a background threat. Microsoft reports around 600 million such attacks daily¹, and one of the most successful vectors to success is highly convincing credential phishing at scale, often exploiting the one thing organizations can't patch: user familiarity.

Because collaboration suites and SaaS are so deeply embedded in daily modern workflows, users are conditioned to receive and respond to communications that look like they come from these services. Attackers exploit that conditioning deliberately. Across Mimecast's global customer base, phishing now accounts for 77% of all observed threats² and Microsoft reported seeing roughly 8.3 billion email phishing attempts in Q1 2026 alone, with the vast majority targeting credentials rather than delivering malware³. This indicates that the direct objective isn't your network. It's your people's logins.

How the playbook has evolved

Most people still picture takeovers as an attacker guessing passwords. Over 97% of identity attacks on 365 do still rely on spray or brute force¹. It's blunt, automated, and sometimes it works. But the more dangerous techniques are happening around your controls, not through them.

QR Code-Based Phishing: More than doubled in Q1 2026 — a 146% increase³. QR codes bypass text scanners and push victims to a phishing page on their mobile phone, which is far less protected than their work device.

CAPTCHA Abuse: The use of this technique surged 125% in March 2026 alone³. The CAPTCHA isn't proving you're human, it's stopping the basic email security solutions from reaching the credential-harvesting page behind it.

Token Theft: Infostealers like Lumma Stealer and RedLine harvest authenticated browser session cookies. This matters because once a session cookie is stolen, the attacker authenticates the user without ever needing their password or MFA code. From the identity provider's perspective, it's a valid, already-authenticated session. 

AitM and MFA Bypass: Platforms like Tycoon2FA sit between the user and the legitimate login page in real time, relaying credentials and capturing the MFA token the moment it's entered. The user completes authentication successfully, and so does the attacker, milliseconds later. 

All of these modern techniques are specifically designed around the traditional identity controls most organizations rely on.

MFA matters, but it's not the whole answer

MFA is still essential; it eliminates the vast majority of automated credential attacks and should be non-negotiable. But the attacks that make headlines in 2026 aren't the ones MFA stops. They're specifically engineered for environments where MFA is already on. Treating MFA as a defense posture, rather than a baseline, is the gap attackers are building their playbooks around.

Closing the gap means covering the whole chain

Because the attack is a chain, the defense must be too, with controls that work before a credential is stolen, at the moment a user clicks something suspicious, and after an account has already been compromised.

Before the click

Most phishing links don't go straight to a fake login page. They route through redirects, CAPTCHAs, QR codes, and image-rendered URLs—specifically to evade security tools that only inspect the surface. Effective pre-click defense has to follow the full redirect chain, not just inspect the surface URL, and apply computer vision to identify fake login pages that text-based filters miss. CAPTCHA-gated URLs should be treated as a risk signal, not a reason to stop scanning. 

At the moment of click

When a user clicks a link that hasn't yet been classified as malicious, but isn't yet trusted, Browser Isolation can step in before any damage is done. The session runs in a remote container, fully separated from the user's device. No token theft. No credential capture. Administrators can block credential entry entirely within isolated sessions. Even if someone falls for it, nothing gets through.

After compromise

When an account is compromised, detection requires correlating signals across layers. Behavioral anomalies in email—unusual sending volume or outbound phishing from trusted accounts—must be read alongside identity signals. Looked at in isolation, each might be dismissed as noise. Together, they tell a clear story, and AI-driven scoring is what makes that correlation actionable, surfacing the alerts that actually matter so security practitioners can respond fast.

But compromise rarely stays in one place. An attacker with a valid session will move—into Teams conversations, shared drives, internal file stores—probing for what's valuable and who to target next. That means effective defense can't stop at email. The same behavioral lens needs to extend across collaboration environments, flagging suspicious internal communications and unusual sensitive data sharing before an attacker can establish a deeper foothold.

Even then, a reliable late-stage indicator is what a compromised account eventually does with data. Transfers to untrusted destinations, freemail accounts, or personal devices represent a second, independent signal that something is wrong—one that's detectable in real time, even when the identity layer hasn't yet caught up.

The question worth asking today

If an attacker compromised a Microsoft 365 account in your environment this morning, how long would it take your team to know?  The volume of attacks targeting M365 isn’t slowing down, and the ones that succeed aren’t getting through because MFA is off. They’re getting through because the gaps between your controls are exactly where attackers are building their playbooks. 

The attacks described in this blog aren't stopped by any single control. They're stopped by a platform that sees across the full chain—from the first suspicious link to post-compromise data movement—and connects the signals that point solutions leave isolated.

Mimecast works across the whole chain. Before anyone clicks, we follow every link delivered to email and collaboration platforms all the way to where it ends up, even when it has been deliberately hidden behind QR codes, redirects, or verification screens designed to trick basic security tools. When someone does click something suspicious, we can open that page in an isolated browser so their login details and session tokens cannot be captured. If an account still gets compromised, we catch the signs fast—unusual emails going out, logins from unexpected places—and surface a clear, prioritized alert for your team. And when an attacker starts trying to move data out, a separate layer watches for that behavior and can prevent that data from leaking while raising an alert to be investigated.

That's the answer to the architectural problem. Not more tools. A platform that was built to see the whole attack, because the intersection of human, data, and AI is where the risk lives—and it's where Mimecast is built to protect it.

See how Mimecast stops account takeover across the full attack chain:

From the first suspicious link to post-compromise data movement—explore how Mimecast connects the signals your current stack is missing.

Request a demo.

1. Microsoft Digital Defense Report 2024 & 2025 (microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025)

2. Mimecast Global Threat Intelligence Report, 2025 (https://www.mimecast.com/resources/ebooks/threat-intelligence-january-june-2025/)

3. Microsoft Q1 2026 Email Threat Landscape Report (https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/)