High Amounts of Targeted Phishing this week
Be Wary
SECURITY ALERT (9 DECEMBER 2025) ⚠️
Summary
We are currently seeing an unusually high volume of targeted phishing attacks attempting to compromise Microsoft 365 accounts across New Zealand. These attacks are designed to trick users into entering Microsoft credentials into fake sign in pages or opening malicious documents.
The activity is active yesterday, today and seems more than normal.
What the Attack Looks Like 👀
We are seeing a consistent pattern across multiple organisations:
• A user receives an email asking them to edit or review a document
• The document is presented as ‘pricing.xlsx’ or similar spreadsheet files
• The link takes them to a fake Microsoft 365 sign in page, with your company logo present, but maybe ‘squished’ and weird looking
• If credentials are entered, attackers immediately attempt login
• Attempts are coming mostly from Germany and China
This is a coordinated attack, not random spam.
Why This Matters
Once attackers obtain credentials:
• They attempt to log into Microsoft 365
• They may push in a cloud app to the MS365 tenant giving them permanent access to an account
• They search through email to impersonate the user
• They try to access company files
• They send additional phishing emails from your account
• In some cases they attempt invoice fraud or financial redirection
This all happens within minutes of credential capture.
What You Should Do 🛡️
We recommend the following:
• Do not sign in to open documents unless you are certain of the source
• If unsure, contact the sender to confirm they actually sent the file
• Treat unexpected document sharing prompts with caution
• Never trust links that redirect you to sign in screens
• If you have accidentally entered your credentials into a suspicious page, contact us immediately
Technical Recommendations 🔧
To help prevent or limit the impact:
• Enable geo blocking to restrict logins from countries you do not operate from
• Ensure multi factor authentication is on for all users
• Use device based conditional access where applicable
• Review login alerts for unusual sign in attempts
We can help you implement these controls if you are unsure of your current setup.
Next Steps
You do not need to take drastic action, but please:
• Be extra vigilant with unexpected file sharing
• Make sure MFA is working correctly
• Contact us if you suspect compromise or unusual login events
Cheers
Ashley