Password resets alone won’t protect your Microsoft 365 account
Attackers are using Microsoft 365’s own password reset feature to hijack accounts, even when MFA is switched on. Here’s what North Wales businesses need to.
By The Dragon Digital team ·
Your password is strong. You change it regularly. So your Microsoft 365 account should be fine, right? Not quite.
A tactic making the rounds right now turns a legitimate security feature, the password reset flow, into a way in. Attackers find your email address and trigger a reset. While that lands on your phone, they ring you pretending to be an IT technician and talk you into approving the multi-factor authentication (MFA) prompt that just appeared. Once approved, they set a new password, remove your MFA protections, and lock you out. By the time you realise, they’re already in your email, OneDrive, and potentially your wider cloud setup.
The reason it works is that nothing in the process looks obviously wrong. The MFA prompt is real. The reset email is real. It’s just the person on the phone who isn’t who they say they are. A staff member gets a genuine notification and a plausible voice pushing them to act quickly. If that person has admin rights or access to finance systems, the damage scales fast, attackers can pull thousands of files, hunt for credentials, and dig in for the long term. This is part of a broader pattern we’ve covered before, social engineering combined with a real MFA moment is one of the more reliable ways into a business account right now.
What to actually do about it
The practical fixes aren’t complicated.
- Require two separate verification steps for password resets, not just one. This makes the real-time phone trick much harder to pull off, because the attacker can’t control both channels simultaneously.
- Train your team on what a real reset looks like. If they get an unexpected MFA prompt and a call from someone claiming to be IT asking them to approve it, that’s not how legitimate resets work. Hang up, and ring your IT contact on a number you already know.
- Set alerts for unusual password reset activity, especially on admin accounts or outside normal working hours. These patterns often surface just before an account takeover moves into data theft. Password strength is necessary but no longer the whole answer, as the ransomware case involving a single unprotected account shows. The businesses that come out of attempts like this intact are the ones running MFA properly, monitoring for suspicious activity, and with staff who know what a social engineering call sounds like.
If any of that isn’t in place, it’s worth sorting before it becomes urgent. Dragon Digital sets up MFA, password reset policies, and account monitoring for Microsoft 365 across North Wales, including the alerts that catch this kind of thing before it gets into your files.
Could your business use a hand with its IT?
We provide managed IT support, cyber security and more to businesses across North Wales.
Related guides
- Cybersecurity
Android Microsoft 365 apps needed urgent patching, is yours up to date?
A debug flag left on in six Microsoft 365 Android apps let other apps silently steal login tokens. The patch is out, here’s what to check.
- Microsoft 365
Microsoft 365 is changing in June, what you need to do
Microsoft is retiring standalone OneDrive plans, Teams Live Events, and tweaking how some email and sync access works. Here’s what matters for your business.
- Microsoft 365
Microsoft Exchange Online email delays: what happened and what to do
On 2 June, Microsoft 365 email ground to a halt globally, with messages queuing for over an hour. Here’s what caused it and what to check in your account.