Your phone rings. It's "IT support." They're friendly, professional, and they know your name. They explain that the company is updating MFA settings and they need your help to complete the process. All you have to do is visit a link and enter your credentials.
It's a scam. A really good one. And it's hitting businesses right now.
Active threat alert: A sophisticated threat group tracked as SLSH has been running coordinated phone phishing campaigns since early January 2026 — specifically impersonating IT staff to steal Microsoft 365 credentials and MFA codes. According to Google's security forensics firm Mandiant, the attacks are ongoing and effective.
Here's Exactly How It Works
The attackers aren't guessing. They research their targets. They know company names, employee names, and enough internal-sounding details to seem completely legitimate. Here's the playbook they're running:
- They call an employee — often someone in operations, finance, or admin — claiming to be from IT support.
- They explain that the company is rolling out updated MFA settings and the employee needs to re-verify their account.
- They direct the employee to a fake login page that looks exactly like your Microsoft 365 sign-in.
- The employee enters their credentials and MFA code — which the attacker captures in real time and uses immediately.
- The attacker registers their own device for MFA, locking out the real user and giving themselves persistent access.
From that single call, they now have full access to email, files, Teams, SharePoint — everything. And they typically use that access to steal data, move laterally through the network, or launch follow-on attacks.
Why It's So Effective
Email phishing has gotten easier to spot. People have been trained to look for sketchy links and bad grammar. So attackers adapted. Voice phishing (vishing) is harder to evaluate in the moment because it's a live conversation. There's social pressure. The caller sounds confident. They have just enough information to seem credible. And most employees haven't been specifically trained for this scenario.
Important: Legitimate IT departments — including Konkord IT — will never call you out of the blue and ask you to enter your credentials or MFA code on a website. If that happens, hang up and call IT directly using a number you already have on file.
What to Tell Your Team — Word for Word
You don't need a 40-slide security training for this one. Just make sure every person in your organization knows this:
"If anyone calls you claiming to be from IT — whether internal or external — and asks you to visit a link and enter your login credentials or MFA code, do not do it. Hang up. Then call IT directly using a number you already have saved. Real IT support does not work this way. This is a scam that is actively targeting businesses right now."
Five Things to Do This Week
- Enforce phishing-resistant MFA where possible — hardware keys or passkeys are significantly harder to steal than SMS or authenticator app codes.
- Establish a verification protocol — any IT request that comes in by phone should be verified through a second channel before action is taken.
- Run a tabletop exercise — literally walk your team through what this call sounds like and how to respond. Five minutes. It works.
- Review conditional access policies — make new device registrations require additional admin approval so attackers can't silently add their own devices.
- Monitor for anomalous sign-ins — new devices, unusual locations, sign-ins at odd hours. These should trigger alerts, not just log entries.
The Bigger Picture
This campaign is a reminder that the weakest point in most security setups isn't the firewall or the antivirus. It's the moment a real person makes a decision under pressure. Technical controls matter enormously — but they have to be paired with employees who know what to do when something doesn't feel right.
Training doesn't have to be painful or expensive. It just has to happen — and it has to be specific enough that people actually recognize the threat when they encounter it, not just nod along to a generic "be careful about phishing" reminder.
Want to Know if Your Team is Ready?
We run phishing simulations and security awareness training that prepares your people for exactly this kind of attack — before attackers get the chance to try it for real.
Talk to Us About Security Training