Phishing has moved well beyond suspicious emails with bad grammar. AI-powered attacks are now convincing, personalised, and hitting your business through channels most people never thought to distrust — Teams chats, calendar invites, and collaboration tools.
New research from KnowBe4’s Phishing Threat Trends Report paints a clear picture of where the threat landscape is heading: phishing attacks increased by 17.1% in the first half of 2026, and 86% of them are now generated or enhanced using artificial intelligence. The scale and sophistication of what businesses are facing has shifted significantly — and Australian businesses running Microsoft 365 are squarely in the crosshairs.
For years, the standard advice was to look for the telltale signs of a phishing email: poor spelling, a suspicious sender address, a generic greeting. AI has made most of that advice obsolete. Attackers can now generate personalised, grammatically perfect messages at scale — tailored to the recipient, the organisation, and even the tools they use every day.
One of the most significant findings in the report is how far phishing has expanded beyond the inbox. Attackers are now using the same platforms your team relies on for legitimate work — and that’s precisely what makes them so effective.
41% of AI-driven phishing attacks now target Teams — impersonating colleagues, vendors, or IT support in direct messages.
Calendar invite phishing increased 49% — fake meeting links that look like legitimate Outlook or Teams invitations.
Attacks using reverse proxies to intercept and steal Microsoft credentials increased 139% — bypassing MFA in the process.
The reverse proxy technique is particularly concerning. Rather than directing victims to a fake login page, the attacker sits between the user and the real Microsoft login — capturing not just the password, but the authentication session itself. That means standard multi-factor authentication won’t stop it.
Jack Chapman, SVP of Threat Intelligence at KnowBe4: “Cyber criminals are actively broadening the email threat landscape. As businesses rely on tools for real-time collaboration, cyber criminals have added this to their attacks, along with targeting people’s calendars. This attack method targets people and technology together.”
Microsoft 365 is the world’s most widely deployed business productivity platform — and that scale makes it the most valuable target. When attackers successfully harvest a Microsoft credential, they potentially gain access to email, SharePoint, Teams, OneDrive, and any connected third-party applications. A single compromised account can be used to launch further attacks against colleagues, access sensitive files, or impersonate the account holder to authorise financial transactions.
The report also found that finance, legal, and healthcare were the most commonly targeted industries — all sectors where Microsoft 365 is deeply embedded in daily operations, and where the consequences of a breach are most severe.
The good news is that the right controls significantly reduce your exposure. These aren’t complex or expensive measures — but they do need to be in place before an incident, not after.
SMS and email-based MFA are the weakest options — and can be bypassed by reverse proxy attacks. The Microsoft Authenticator app or Windows Hello are the right starting point for most businesses. For environments requiring stronger protection, hardware-based options like FIDO2 keys or YubiKeys provide the highest level of resistance available.
Most security awareness training focuses on email. Your team also needs to know how to spot suspicious Teams messages, unexpected calendar invites with external links, and requests to click or authenticate through unfamiliar channels. If it feels slightly off, it probably is.
Most businesses run Microsoft 365 largely on default settings — which aren’t configured with your specific risk profile in mind. External guest access, Teams federation, and calendar sharing permissions are common areas where exposure creeps in unnoticed. Technicalities can review your environment, identify the gaps, and give you a prioritised set of recommendations. Get in touch to find out what we’d find in yours.
Traditional email filters look for known malicious links and attachments. AI-generated phishing doesn’t rely on either — it relies on convincing language. If you’re running Proofpoint Advanced+, you’re already in good shape — it uses behavioural analysis and machine learning to detect these threats even when there’s nothing technically suspicious in the message. If you don’t yet have advanced email filtering in place, it’s worth a conversation. The emerging gap for everyone, however, is Teams and calendar-based attacks — which is exactly why the controls above matter too.
Technicalities can review your Microsoft 365 configuration, MFA setup, and security awareness training to identify gaps before attackers do.
Get in Touch