Phishing and MFA exploitation: Targeting the keys to the kingdom
Cisco Talos analyzes 2025 phishing and identity attacks, highlighting a shift from generic spam to workflow-themed lures such as IT, travel, expense, and logistics messages that are designed to capture credentials, payment data, and MFA tokens through fake SSO pages. The most concrete technique discussed is abuse of Microsoft 365 Direct Send, which lets devices such as printers and scanners relay mail so messages can appear to come from an internal address and bypass both user suspicion and some external-email filtering assumptions. The report also breaks out two major MFA attack patterns: spray attacks against predictable IAM environments, and device-registration compromise driven heavily by voice phishing that tricks administrators into enrolling attacker-controlled devices. Talos notes that successful compromises can yield SSO tokens and allow attackers to alter user roles, credentials, or MFA policies, making this a useful defensive write-up on how trust in internal mail and enrollment workflows is being operationally exploited.