Phishing is not just fake invoices and misspelled emails anymore. Today attackers rent turnkey kits, steal session tokens to skip MFA, trick users with OAuth consent prompts, and hide lures in QR codes. The good news: you can blunt most of this with modern controls and a simple playbook that protects revenue, reputation, and operations.
Phishing at scale: Microsoft seized nearly 340 domains tied to a subscription phishing service. It shows how mature the phishing-as-a-service ecosystem has become. https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-seizes-340-websites-linked-growing-phishing-subscription-service-2025-09-16/
Record volumes keep coming: APWG logged roughly one million phishing attacks in a recent quarter, with heavy targeting of financial and payment services and growing use of QR codes. https://apwg.org/trendsreports
MFA bypass through adversary in the middle: proxy pages intercept logins and harvest session cookies so attackers can ride a user’s session. Background on the concept: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
OAuth consent phishing goes mainstream: users are tricked into granting malicious apps access that can persist beyond password changes. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/oauth-consent-phishing-explained-and-prevented/4423357
Platform countermeasures: device-bound session credentials and broader passkey adoption aim to blunt cookie theft and passwords. https://www.theverge.com/2025/7/29/24107228/google-chrome-device-bound-session-credentials and https://developer.chrome.com/docs/web-platform/device-bound-session-credentials
AiTM kits sit between the user and the real site. They forward the login to the legitimate service, then capture the session token. Result: the attacker can act as the user without triggering MFA. Overview: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Instead of stealing a password, the attacker asks for permission. A convincing consent screen requests scopes like read mail or send mail as you. If a user accepts, the attacker gets long lived cloud access. Guidance: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/protect-against-consent-phishing
Quishing uses QR images in email or in the physical world that send users to fake logins or malware sites. Incidents are rising. News example: https://www.theguardian.com/money/2025/may/25/qr-code-scam-what-is-quishing-drivers-app-phone-parking-payment
Adopt passkeys for workforce accounts. Where passkeys are not yet possible, require phishing resistant MFA and number matching. Background: https://en.wikipedia.org/wiki/Passwordless_authentication
Turn on device bound session credentials where available. Binding tokens to a device makes stolen cookies useless on an attacker’s machine. Articles and docs: https://www.theverge.com/2025/7/29/24107228/google-chrome-device-bound-session-credentials and https://developer.chrome.com/docs/web-platform/device-bound-session-credentials
Restrict end user consent to verified publishers or admin approved apps. Review high risk scopes and monitor new grants. Remove stale apps. How-to: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/oauth-consent-phishing-explained-and-prevented/4423357
SPF and DKIM are table stakes. Add DMARC with reporting, then move policy from none to quarantine to reject. Measure look alike domain attempts and adjust. Primer: https://en.wikipedia.org/wiki/DMARC and trends: https://apwg.org/trendsreports
Go beyond generic link lures. Include AiTM and QR scenarios in quarterly simulations. Coach on consent prompts, token theft, and out of band verification. Materials: https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing
Week 1: enable passkeys for admins and high risk roles. Require phishing resistant MFA for all users.
Week 2: enforce DMARC with RUA and RUF reporting. Tighten SPF includes. Fix misaligned senders across marketing, ticketing, and payroll tools.
Week 3: restrict OAuth consent to verified publishers. Review existing enterprise app grants. Remove stale high scope apps.
Week 4: pilot device bound session credentials in your primary browser. Update your incident response playbook for token theft.
Fewer account takeovers tied to cookie theft or consent abuse. NIST on session risks: https://csrc.nist.gov/glossary/term/session_hijack_attack
DMARC aggregate reports show spoofed messages rejected and look alike domains flagged. https://en.wikipedia.org/wiki/DMARC
Phishing simulations confirm users recognize QR lures and suspicious consent prompts. https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing
Phishing Readiness Assessment: mailbox signals plus targeted simulations that reflect current attacker tactics.
DMARC setup and monitoring: policy tuning, reporting, and sender alignment across every service that sends on your domain.
Microsoft 365 hardening: passkey rollout guidance, conditional access, consent governance, mailbox and SharePoint protections.
SOC monitoring and incident response: detection, containment, and post incident token hygiene.
Yes, but it is not sufficient by itself. Combine MFA with passkeys or device bound tokens so stolen cookies are useless. Reference: https://csrc.nist.gov/glossary/term/session_hijack_attack
No. Treat them like any link. Verify the destination, prefer trusted apps for payments, and avoid scanning codes on stickers or posters you do not control. Reference: https://www.theguardian.com/money/2025/may/25/qr-code-scam-what-is-quishing-drivers-app-phone-parking-payment