M365 Social Engineering Attacks: Why Your Microsoft 365 Security Fails Against Pretexting in Teams

(00:00:00) Microsoft 365 Security Alert (00:00:06) The Weakness in MFA (00:00:52) Case File 1: Teams Phishing Inside the Perimeter (00:02:02) Corrective Doctrine for Teams Security (00:06:53) Case File 2: Device Code Flow MFA Evasion (00:08:26) Strengthening Device Code Security (00:13:37) Case File 3: App Consent Abuse (00:15:27) Governance of App Permissions (00:21:03) Case File 4: SharePoint Link Abuse (00:28:06) Token Theft and Session Replay In this episode of M365.fm, Mirko Peters dissects how modern social engineering walks straight through your “secure” Microsoft 365 setup — using Teams, device codes, and OAuth consent — and shows how to redesign policies, detections, and user protocol so pretexting fails on impact.WHAT YOU WILL LEARNHow attackers weaponize Teams external federation to impersonate IT and harvest MFA approvalsWhy device code flows and “helpful” verification messages bypass everything your users think they know about phishingHow consent phishing and ungoverned app registrations quietly turn “Sign in with Microsoft” into data exfiltrationWhy your current Conditional Access, Safe Links, and risk policies don’t see the full pretext chainHow to redesign external access, MFA, and Teams policies so chat cannot be used as an elevation vectorHow to build concrete KQL detections that correlate external DMs, MFA spikes, device code usage, and mailbox/file activityHow to teach users verification rituals that work under stress instead of vague “be careful” adviceTHE CORE INSIGHTMost Microsoft 365 security programs still think in malware, bad URLs, and brute force. Today’s attackers don’t argue with your controls — they use your own channels, branding, and MFA prompts against you.Teams, device code, and consent flows are all legitimate; the difference between normal and hostile is ceremony: who can contact whom, which flows are allowed, how risk and identity policies respond, and what users are trained to do in the moment.This episode argues that social engineering defense in M365 is not a “user awareness” problem but a systems design problem — and that you can design friction that kills pretext attacks before users have to be perfect.WHY YOUR M365 SECURITY FAILS AGAINST SOCIAL ENGINEERINGTeams external access is “on by habit,” so any tenant can DM any user with an “IT Support” avatarMFA fatigue is possible because there is no hard rule that “support never asks you to approve a prompt”Device code flows are allowed everywhere, with no dedicated policies, detections, or user guidanceOAuth consent is under‑governed: users and even admins can grant high‑risk permissions to unverified appsIdentity risk, collaboration channels, and data activity are monitored separately, so the attack chain never appears as one incidentWHAT YOU’LL TAKE AWAY IN PRACTICEConcrete Teams external federation and Safe Links settings that cut off unsolicited pretext DMsConditional Access designs that treat Teams and device code flows as elevation vectors, not “just apps”Detection patterns that correlate chat, MFA bursts, deviceAuth endpoints, and mailbox/SharePoint changesA verification ritual (phrases, call‑back channels, “never read codes in chat”) that users can actually follow under pressureGovernance patterns for verified publishers, app consent, and named locations that shrink the social engineering surfaceWHO THIS EPISODE IS FORThis episode is essential for Microsoft 365 security engineers, identity architects, SOC analysts, and IT leaders responsible for user protection in cloud collaboration.If you’ve already rolled out MFA, Conditional Access, and Defender, but still worry that one good pretext in Teams or one device code prompt could undo it all, this conversation will give you an end‑to‑end blueprint to fix that.ABOUT THE HOSTMirko Peters is a Microsoft 365 consultant and digital workplace architect focused on building social‑engineering‑resistant security architectures on the Microsoft cloud.Through M365.fm, Mirko shares real incident patterns, governance models, and detection strategies that help organizations close the gap between “Zero Trust on slides” and how attacks actually unfold in Microsoft 365.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.