AiTM phishing and Microsoft 365 token theft: a defense plan for Hawaii businesses

Published May 26, 2026 · HI Tech Hui · ~7 min read

What Microsoft actually disclosed

Between April 14 and April 16, 2026, Microsoft Threat Intelligence and the Microsoft Defender Research Team observed a coordinated phishing campaign that delivered AiTM token theft at a scale most Hawaii businesses have not yet planned for. Per the published Microsoft Security Blog write-up:

• More than 35,000 users across more than 13,000 organizations in 26 countries were targeted in a 72-hour window.
• 92 percent of targets were in the United States.
• Top targeted sectors: healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%).
• The lures impersonated internal HR and compliance notices — subject lines such as “Internal case log issued under conduct policy” and PDF attachments such as “Disciplinary Action — Employee Device Handling Case.pdf.”
• The phishing infrastructure overlapped with multiple phishing-as-a-service kits, including Tycoon 2FA, Kratos (formerly Sneaky 2FA), and EvilTokens.

Three weeks later, on May 22, 2026, the FBI issued a public advisory on the Kali365 phishing-as-a-service platform, which is being marketed on Telegram and provides AI-generated lures, real-time targeting dashboards, and OAuth token capture out of the box. The combined signal: AiTM is no longer a nation-state technique. It is a commodity offering, priced for the criminal middle market.

Why ordinary MFA fails against AiTM

Most Hawaii businesses we audit treat MFA as a binary — either it is on or it is off. AiTM breaks that model, and the mechanics are worth being precise about because they determine the defense.

In a traditional phishing attack, the fake page collects the username and password and the attacker has to figure out what to do about the second factor. In an AiTM attack, the fake page is a reverse proxy. When the victim enters their password, the proxy forwards it to the real Microsoft sign-in endpoint and gets back the genuine MFA challenge. The victim sees a real MFA prompt — because it is a real MFA prompt — approves it on their phone, and the proxy intercepts the resulting authenticated session token. The attacker now holds a valid token, signed by Microsoft, that asserts the user authenticated with MFA. The attacker uses it from their own browser. Microsoft sees a normal session.

This works against every MFA method that does not bind the authentication to the actual domain the browser is talking to: SMS codes, voice calls, app-generated TOTP codes, and Microsoft Authenticator push approvals (without number matching pinned to a verified domain). The phishing-resistant MFA methods — FIDO2 security keys, Windows Hello for Business, and passkeys — all use public-key cryptography bound to the real Microsoft sign-in origin. If the browser is on the attacker’s domain, the security key refuses to authenticate. There is no code or push to relay.

The defense plan we are running for Hawaii clients

For organizations on HI Tech Hui managed IT services, the response to the April campaign has not been a panic project. It has been an acceleration of the identity hardening roadmap that was already underway. The order of operations matters because each step makes the next one safer to deploy.

1. Roll phishing-resistant MFA to privileged accounts first

Global Administrators, Privileged Role Administrators, Security Administrators, Exchange Administrators, and anyone with delegated admin into client tenants should be on FIDO2 security keys or Windows Hello for Business now. Per Microsoft Entra documentation, these methods are the only ones Microsoft classifies as phishing-resistant. For executives and finance staff with payment authority, treat them as privileged for this purpose — they are the highest-value AiTM targets.

Practical sequencing: order hardware keys (YubiKey 5 series or equivalent) early because shipping to the islands is slower than vendors quote, register two keys per privileged user so one can live in a safe and one in a wallet, and require key registration before the user can use any other authentication method.

2. Enforce phishing-resistant MFA via Conditional Access

Having keys issued is not the same as requiring their use. Configure a Conditional Access policy that requires the phishing-resistant MFA authentication strength for: all Global Administrators and other directory role holders; access to the Microsoft Entra admin center, Microsoft 365 admin center, Exchange admin center, and Azure portal; and any application classified as sensitive in your data inventory (finance, HR, legal, clinical).

For the remaining workforce, raise the authentication strength to require Microsoft Authenticator with number matching as a transitional step while FIDO2 enrollment broadens.

3. Block legacy authentication and unused protocols

AiTM is the headline, but legacy authentication still gets accounts compromised every month. Block IMAP, POP3, SMTP AUTH, and other basic-auth protocols at the tenant level through Conditional Access. Microsoft has been disabling basic authentication by default for new tenants for several years; older tenants frequently still have it enabled somewhere. Audit it on every tenant you manage.

4. Add token protection and risky sign-in detection

Token protection (in preview for some workloads, GA for others as of 2026) cryptographically binds the issued token to the device that requested it, which makes a stolen token replayed from a different machine fail. Combine with Microsoft Entra ID Protection sign-in risk policies that challenge or block atypical travel, anonymous IP, password spray, and token replay signals. For Hawaii-based tenants, an unfamiliar sign-in from a non-Hawaii IP within minutes of a legitimate session is a strong signal — tune for it.

5. Shorten session lifetimes for sensitive applications

Default Microsoft 365 session lifetimes are generous because reauthentication is friction. After an AiTM campaign, friction is the point. Use Conditional Access sign-in frequency controls to require reauthentication every 1–4 hours for admin portals, every 8–12 hours for sensitive line-of-business applications, and on every privileged role activation if Privileged Identity Management is in place.

6. Turn on Safe Links, Safe Attachments, and zero-hour auto purge

Microsoft Defender for Office 365 Safe Links rewrites URLs at click time and detonates them in a sandbox, which catches some — not all — AiTM phishing infrastructure. Safe Attachments detonates PDFs and Office documents before delivery. Zero-hour auto purge retroactively removes messages from inboxes after threat intelligence catches up. None of these stop a determined AiTM kit on day one. All of them shrink the window in which a campaign that bypasses your prevention layer can still reach users. Microsoft’s recommended settings for EOP and Microsoft Defender for Office 365 are the right configuration baseline.

7. Build detection for token replay and impossible travel

Prevention is the goal. Detection is the safety net. The Cyberuptive SOC watches Microsoft Entra sign-in logs, Defender for Cloud Apps anomaly detections, and Defender XDR alerts for the specific signatures of AiTM follow-on activity: new inbox rules created within an hour of sign-in (forwarding to external addresses, deleting messages with keywords like “invoice” or “wire”), OAuth application consent grants from compromised accounts, mailbox enumeration patterns, and Microsoft Graph API calls from unfamiliar IPs. Each of these is a high-fidelity signal of post-token-theft activity even when the sign-in itself looked clean.

What this means for Hawaii’s targeted sectors

The Microsoft data on industry targeting is not abstract for Hawaii. Healthcare, financial services, and professional services together accounted for nearly half of the campaign’s targets. Three implications:

• Hawaii healthcare and clinics: Compromise of an authenticated Microsoft 365 session is, by default, access to protected health information in Outlook, OneDrive, and Teams. Token theft against a single clinic owner is a HIPAA breach event without any malware payload involved. Phishing-resistant MFA on every account with PHI access is the defensible baseline.
• Hawaii finance and professional services: The dominant AiTM follow-on action we observe is wire fraud setup — inbox rules that intercept incoming payment instructions, look-alike domain reply chains, and authorized push payment attempts. These do not need malware to succeed. Stopping them requires stopping the token theft.
• Hawaii law firms: The combination of a compromised partner mailbox, an active matter, and a real wire instruction in flight is the highest-loss scenario we plan against. The defense is the same as for the broader market, with sharper urgency: FIDO2 on every partner, conditional access on every administrator, and SOC detection on every inbox-rule change.

The 30-day plan

For a small or mid-sized Hawaii business that has not already done this work, a realistic 30-day plan looks like this:

• Week 1. Inventory privileged accounts. Order FIDO2 keys (two per privileged user). Confirm Microsoft Entra ID P1 or P2 licensing for the users who will receive Conditional Access policies; for most Hawaii SMBs, this is already included in Microsoft 365 Business Premium.
• Week 2. Enroll keys for the global admin tier. Stand up the Conditional Access policy that requires phishing-resistant MFA for directory roles and admin portals. Test in report-only mode before enabling.
• Week 3. Block legacy authentication tenant-wide. Tighten session lifetimes for admin portals and sensitive apps. Enable token protection where supported. Configure Microsoft Defender for Office 365 to Microsoft’s recommended Standard or Strict preset.
• Week 4. Expand FIDO2 enrollment to executives, finance, HR, and anyone with payment authority. Confirm SOC detection rules are firing in test for new inbox rules, OAuth consent grants, and anomalous sign-ins. Run a phishing simulation against a small ring before broader rollout.

None of this is novel work. All of it is the work most Hawaii businesses keep deferring because MFA being “on” felt like enough. After April 2026, it is not.

What this looks like with HI Tech Hui

For organizations on HI Tech Hui managed IT services, this entire plan is part of the standard identity hardening program: privileged account inventory, FIDO2 procurement and enrollment, Conditional Access design and report-only testing, token protection rollout, and ongoing detection through the Cyberuptive 24/7 SOC. We do the same work for Microsoft 365 tenants we did not build, starting with an identity posture review. If you are not certain whether your tenant would survive an AiTM campaign aimed at a single executive, the first step is the review, not the keys.

Sources

• Microsoft Security Blog — Breaking the code: Multi-stage “code of conduct” phishing campaign leads to AiTM token compromise (May 4, 2026)
• Microsoft Security Blog — Inside Tycoon 2FA: How a leading AiTM phishing kit operated at scale (March 4, 2026)
• Microsoft Entra — Passwordless authentication options for Microsoft Entra ID
• Microsoft Entra — Conditional Access authentication strength
• Microsoft Learn — Recommended settings for EOP and Microsoft Defender for Office 365
• FBI Internet Crime Complaint Center (IC3) — public advisories

Need a phishing-resistant MFA and Conditional Access rollout for a Hawaii business before the next AiTM wave? HI Tech Hui’s managed IT services team handles identity posture reviews, FIDO2 procurement and enrollment, Conditional Access design, and 24/7 detection through our SOC. Get in touch.