Episode Details
Back to Episodes
M365 Social Engineering Attacks: Why Your Microsoft 365 Security Fails Against Pretexting in Teams
Season 1
Published 4 months, 2 weeks ago
Description
(00:00:00) Microsoft 365 Security Alert
(00:00:06) The Weakness in MFA
(00:00:52) Case File 1: Teams Phishing Inside the Perimeter
(00:02:02) Corrective Doctrine for Teams Security
(00:06:53) Case File 2: Device Code Flow MFA Evasion
(00:08:26) Strengthening Device Code Security
(00:13:37) Case File 3: App Consent Abuse
(00:15:27) Governance of App Permissions
(00:21:03) Case File 4: SharePoint Link Abuse
(00:28:06) Token Theft and Session Replay
In this episode of M365.fm, Mirko Peters dissects how modern social engineering walks straight through your “secure” Microsoft 365 setup — using Teams, device codes, and OAuth consent — and shows how to redesign policies, detections, and user protocol so pretexting fails on impact.
WHAT YOU WILL LEARN
Most Microsoft 365 security programs still think in malware, bad URLs, and brute force. Today’s attackers don’t argue with your controls — they use your own channels, branding, and MFA prompts against you.
Teams, device code, and consent flows are all legitimate; the difference between normal and hostile is ceremony: who can contact whom, which flows are allowed, how risk and identity policies respond, and what users are trained to do in the moment.
This episode argues that social engineering defense in M365 is not a “user awareness” problem but a systems design problem — and that you can design friction that kills pretext attacks before users have to be perfect.
WHY YOUR M365 SECURITY FAILS AGAINST SOCIAL ENGINEERING
(00:00:06) The Weakness in MFA
(00:00:52) Case File 1: Teams Phishing Inside the Perimeter
(00:02:02) Corrective Doctrine for Teams Security
(00:06:53) Case File 2: Device Code Flow MFA Evasion
(00:08:26) Strengthening Device Code Security
(00:13:37) Case File 3: App Consent Abuse
(00:15:27) Governance of App Permissions
(00:21:03) Case File 4: SharePoint Link Abuse
(00:28:06) Token Theft and Session Replay
In this episode of M365.fm, Mirko Peters dissects how modern social engineering walks straight through your “secure” Microsoft 365 setup — using Teams, device codes, and OAuth consent — and shows how to redesign policies, detections, and user protocol so pretexting fails on impact.
WHAT YOU WILL LEARN
- How attackers weaponize Teams external federation to impersonate IT and harvest MFA approvals
- Why device code flows and “helpful” verification messages bypass everything your users think they know about phishing
- How consent phishing and ungoverned app registrations quietly turn “Sign in with Microsoft” into data exfiltration
- Why your current Conditional Access, Safe Links, and risk policies don’t see the full pretext chain
- How to redesign external access, MFA, and Teams policies so chat cannot be used as an elevation vector
- How to build concrete KQL detections that correlate external DMs, MFA spikes, device code usage, and mailbox/file activity
- How to teach users verification rituals that work under stress instead of vague “be careful” advice
Most Microsoft 365 security programs still think in malware, bad URLs, and brute force. Today’s attackers don’t argue with your controls — they use your own channels, branding, and MFA prompts against you.
Teams, device code, and consent flows are all legitimate; the difference between normal and hostile is ceremony: who can contact whom, which flows are allowed, how risk and identity policies respond, and what users are trained to do in the moment.
This episode argues that social engineering defense in M365 is not a “user awareness” problem but a systems design problem — and that you can design friction that kills pretext attacks before users have to be perfect.
WHY YOUR M365 SECURITY FAILS AGAINST SOCIAL ENGINEERING
Listen Now
Love PodBriefly?
If you like Podbriefly.com, please consider donating to support the ongoing development.
Support Us