The Phishing Wave We’re Seeing Right Now Should Make Every Business Pay Attention

A few weeks ago, we dealt with the kind of email security incident that every organization hopes never happens.

One user’s email account was compromised. Once the attackers got in, they used that mailbox to send a mass email to roughly 6,000 recipients. What made this especially interesting is that the recipient list did not appear to come from the compromised user’s own contacts. It seemed like the attackers already had their own list and simply used the compromised mailbox as the delivery vehicle.

That changed the nature of the incident.

The attackers were not just abusing a user’s existing relationships. They were using a real business email account to send malware to a large outside audience. That gave the message more legitimacy than it would have had if it came from a random address or newly created domain.

The email included a malicious attachment. Based on the behavior and the current threat patterns we are seeing across the industry, the goal appeared to be stealing credentials, browser data, active sessions, or authentication cookies.

That last part matters.

For years, most people understood phishing as a password stealing problem. Someone clicks a fake login page, types in their username and password, and the attacker uses those credentials to sign in. That version still exists, but modern phishing has grown past simple password theft.

Attackers now want the session itself.

A session cookie or authentication token can prove that a user already logged in. If an attacker captures that session, they may be able to access the account without going through the normal sign in process again. Microsoft has reported on adversary in the middle phishing attacks that capture authentication tokens during the sign in process, which can let attackers bypass some forms of MFA.

After our incident, we started seeing the same type of attack coming from other organizations.

Within about three weeks, similar phishing emails began showing up from outside companies. The pattern was familiar: a real company, a real mailbox, a suspicious attachment or link, and signs that the sender’s account had likely been compromised before being used to target everyone else.

At one point, we were receiving up to three of these emails per day.

In more than a decade of IT work, I have never seen that kind of volume from compromised business accounts in such a short window.

The inbox has become the launchpad

The most dangerous part of these attacks is the trust they borrow.

A message from an unknown Gmail address is easy to ignore. A message from a vendor, partner, client, school, nonprofit, medical office, or local business carries a different weight. People recognize the name. They recognize the company. They may even have an active relationship with the sender.

That is exactly what attackers are abusing.

They compromise one mailbox, then use that account to reach everyone connected to it. Some recipients click because the sender looks familiar. A few of those accounts may get compromised next. Then the same cycle repeats from another trusted mailbox.

This is how a single compromised account can turn into a wider phishing chain.

Microsoft’s Q1 2026 email threat reporting gives useful context. Microsoft Threat Intelligence detected about 8.3 billion email based phishing threats during that quarter, with Business Email Compromise activity reaching about 10.7 million attacks.

Those numbers line up with what many IT teams are feeling in the real world. The volume is higher. The messages are cleaner. The senders are harder to dismiss. The attacks move quickly from one organization to another.

Phishing has become easier to buy

One reason this problem has grown so quickly is the rise of phishing as a service.

Phishing as a service gives criminals access to ready made phishing kits, fake login pages, dashboards, hosting tools, templates, and infrastructure. A bad actor no longer needs to build every part of the attack from scratch. They can buy access, configure the kit, and start targeting users.

Microsoft recently reported on Tycoon2FA, a phishing as a service platform that gave attackers adversary in the middle capabilities. These tools helped attackers impersonate services like Microsoft 365, Outlook, SharePoint, OneDrive, and Gmail while capturing session cookies during the login process.

Microsoft and Europol disrupted Tycoon2FA in March 2026 and seized 330 active domains connected to the operation. Microsoft said Tycoon2FA accounted for about 62 percent of all phishing attempts Microsoft blocked by mid 2025, including more than 30 million emails in a single month. The platform was linked to about 96,000 distinct phishing victims worldwide since 2023.

That gives us a clearer picture of what is happening. Many of these campaigns are no longer one off attacks from a person manually sending a few bad emails. They are organized, repeatable, and packaged in a way that lets more criminals participate.

Malware attachments still matter

A lot of security conversations focus on phishing links, but attachments remain a serious problem.

Attackers still use PDF files, HTML files, ZIP files, Word documents, Excel files, and other attachments to deliver malware, redirect users to phishing pages, or trigger credential theft. In Microsoft’s Q1 2026 reporting, malicious payloads accounted for 19 percent of email threats in January, then 13 percent in February and March. Credential phishing remained the main goal behind those payloads.

Some malware families focus heavily on stealing browser data. Microsoft has described Lumma Stealer as malware as a service that can steal data from browsers and applications, including credentials and other sensitive information.

That is why one bad attachment can create a much larger problem than a single infected machine.

An attacker may gain access to saved passwords, browser sessions, email accounts, cloud apps, financial systems, or internal business tools. Once they control an inbox, they can use it to target clients, vendors, employees, and anyone else connected to that business.

The damage spreads because the attacker now has something better than a fake identity.

They have a real one.

What businesses should take from this

The biggest lesson from this wave is simple: email security cannot depend on employees catching every bad message.

Training matters. People should know how to recognize suspicious links, unexpected attachments, strange urgency, and unusual requests. But training alone cannot carry the whole burden.

Modern phishing often comes from real accounts. Some messages have real signatures. Some come from companies the recipient already knows. Some arrive inside active conversations. Some are built with tools that are designed to get around basic security checks.

Businesses need layers.

They need stronger email filtering. They need attachment scanning. They need link protection. They need MFA that can resist phishing better than basic push notifications or text codes. They need conditional access policies. They need alerts for suspicious login behavior. They need endpoint protection that can detect malware before it steals browser data.

They also need a response plan.

When a mailbox gets compromised, the response should move quickly:

1. Reset the password.

2. Revoke active sessions.

3. Review MFA methods.

4. Remove suspicious inbox rules.

5. Check forwarding settings.

6. Review recent sign ins.

7. Scan the device.

8. Notify affected contacts when needed.

9. Review whether the attacker accessed sensitive data.

10. Strengthen controls before the account goes back into normal use.

Many businesses reset the password and stop there. That is no longer enough.

If an attacker captured a valid session token, changing the password may not immediately remove their access. Active sessions need to be revoked. Devices need to be checked. Mailbox rules need to be inspected. Connected applications need to be reviewed.

A fast response can make the difference between one compromised mailbox and a much larger incident.

The business risk is bigger than the technical cleanup

A compromised email account can expose more than messages.

It can expose invoices, client conversations, vendor records, employee information, contracts, payment instructions, internal documents, and login details. It can also put your clients and partners at risk if attackers use your account to send malware or phishing emails to them.

There is also a trust issue.

When a company’s email account sends malicious content to clients, the company has to do more than clean the mailbox. It has to explain what happened, reassure people, and show that it has taken the right steps to prevent another incident.

The FBI continues to identify Business Email Compromise as one of the most financially damaging online crimes. In a 2024 public service announcement, the FBI reported more than 305,000 domestic and international BEC incidents and over $55 billion in exposed losses between October 2013 and December 2023.

That number should get the attention of any business owner.

Phishing is no longer background spam that employees delete between meetings. It is one of the main ways attackers gain access to business systems.

How Serian Technologies helps businesses stay ahead of this

At Serian Technologies, we help businesses strengthen the systems that attackers usually target first: email, identity, devices, cloud accounts, and user access.

For many organizations, the best starting point is a security review. We look at how your email environment is configured, how MFA is enforced, whether users have risky access settings, whether your domain has proper SPF, DKIM, and DMARC records, and whether your business has the right alerts in place for suspicious activity.

We also help with practical response planning.

That means your business knows what to do when something happens. Who disables the account? Who checks the mailbox rules? Who revokes sessions? Who reviews the sign in logs? Who contacts affected users? Who confirms the device is clean?

Those details matter during an incident.

Good security does not mean your business will never see a phishing email. Everyone sees phishing emails now. The real goal is to reduce the chance that one click becomes a full compromise, then reduce the damage if something slips through.

If your organization has been receiving more suspicious emails, strange attachments, compromised vendor messages, or unusual Microsoft 365 sign in alerts, now is the right time to review your defenses.

A compromised inbox can become a launchpad for the next wave of attacks. Contact Serian Technologies today to strengthen your email security before one compromised inbox becomes a bigger problem.