Skip to main content
CybersecurityCybersecurity ServicesIT Consulting Services

No Phishing Holidays – Prepare for 2026

By December 8, 2025No Comments

New year, same inbox… except the scams are sharper. While teams are closing the books, changing vendors, onboarding new tools, and resetting passwords, attackers lean into the chaos. The goal isn’t just to trick someone into clicking a link anymore—it’s to steal session tokens, trick users into approving OAuth access, or reroute payments with a single “quick update” email. Microsoft has warned that as organizations adopt stronger MFA, criminals respond with more advanced approaches like token theft.

So let’s treat this as your “January readiness checklist” for phishing: the most effective attack patterns hitting small businesses right now, and what to put in place before everyone comes back from the holidays.

1) MFA-bypass phishing (AiTM / token theft)

The play: A link to a “Microsoft/Google sign-in” page that’s actually a real-time proxy. You log in, you do MFA, and the attacker steals your session cookie/token and walks right in.

Microsoft and government guidance have emphasized the rise of Adversary-in-the-Middle style credential phishing and token theft.

New-year fix:

  • Put owners, finance, admins on phishing-resistant MFA (passkeys/FIDO2 security keys where possible).

  • Enable Conditional Access (device, geo, risk-based policies) in Microsoft Entra if you’re on M365 tiers that support it.

  • Tighten session/token controls where available (reduces the value of a stolen session).

2) “Click Allow” consent phishing (OAuth app abuse)

The play: Instead of stealing a password, attackers get a user to approve a malicious app: “View secure file,” “Teams voicemail,” “SharePoint document,” etc. One approval can grant ongoing access.

Microsoft documents OAuth consent phishing as a common tactic that can create persistent access and be difficult to detect.

New-year fix:

  • Require admin approval for third-party app consent.

  • Audit enterprise apps and remove anything unfamiliar or over-permissioned.

  • Train a simple rule: permissions prompts are “financial approvals,” not “click-to-continue.”

3) QR-code phishing (“quishing”) that slips past filters

The play: The email contains a QR code. The employee scans it with a phone—often outside your protections—and lands on a fake login or payment page.

Proofpoint reported millions of QR code threats in the first half of 2025, and HHS has outlined why quishing is so effective as a social-engineering channel.

New-year fix:

  • Policy: No QR scans for login/payment unless verified via a known internal process.

  • Pair it with phishing-resistant MFA so even a successful scan doesn’t become an account takeover.

4) Business Email Compromise (BEC): the “new bank details” trap

The play: Attackers impersonate a vendor, executive, law firm, or customer to redirect a payment or change bank details.

Verizon’s 2025 DBIR points to FBI IC3 reporting $6.3B+ transferred in 2024 tied to BEC scams. And the FBI’s Internet Crime Report press release highlights phishing/spoofing as the top category by complaint volume.

New-year fix (process beats tech here):

  • A written rule: no payment detail changes via email—ever.

  • Require call-back verification to a known number (not the one in the email).

  • Dual approval for wires/ACH changes.

5) Invoice/callback phishing: “Call to dispute this charge”

The play: The email looks like an invoice/renewal notice with a phone number. You call. They walk you into installing remote tools or “confirming” access.

Security advisories (including from large orgs like UCSF) warn about invoice-style lures that push victims to call and then install remote access software.

New-year fix:

  • Restrict remote access tools to your approved stack only.

  • Centralize renewals so random inboxes aren’t making payment decisions.

  • Teach staff: billing emails that force a call are red flags.

6) Link-first phishing and “ClickFix” social engineering

The play: Fewer attachments, more URLs—fake document viewers, bogus CAPTCHAs, and “fix your browser” prompts.

Proofpoint’s Human Factor reporting notes URL-based threats are dominant and highlights growth in ClickFix-style campaigns.

New-year fix:

  • Turn on advanced link protection in your email platform.

  • Remove local admin rights where possible; block risky scripting/installers for standard users.

  • Patch relentlessly—Verizon’s SMB data shows vulnerability exploitation is an increasing initial access path.

The NetConnect “New-Year Anti-Phish Stack” (simple, realistic, effective)

If you do nothing else in January, do these five:

  1. Phishing-resistant MFA for owners/admins/finance

  2. Conditional Access + sign-in risk controls (where supported)

  3. Lock down OAuth app consent + audit third-party apps

  4. Payment verification policy (call-back + dual approval)

  5. One-click reporting + response playbook aligned to national guidance

Want NetConnect to harden this for you?

We can review your Microsoft 365/Google Workspace configuration, tighten MFA and OAuth permissions, improve email defenses, and set up a clean payment-verification workflow that doesn’t slow your business down.

Call (718) 967-7000 or email info@nctny.com

Leave a Reply

Solve : *
15 × 19 =


Join Our Newsletter

Copyright © 2025 NetConnect Real People, Real Solution. All Rights Reserved.