We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Accept
Refuse
Cybersecurity

The 8 attacks that Microsoft 365 does not block

In 2025, the attacks that cost French SMEs the most money don't trigger any alerts. No malware, no suspicious links—just a well-written email, a credible phone call, or a QR code scanned on reflex.

The 8 attacks that Microsoft 365 does not block

Your accountant just transferred €38 million to fraudsters.

And technically, he didn't make any mistakes.

Cyberattacks that bypass your defenses and how French SMEs can protect themselves.

December 2021. The accountant of a Parisian real estate developer receives a call. On the other end of the line is a man who introduces himself as a lawyer from law firm X. He explains that a confidential buyout is underway, that the president has given his approval, and that they must act quickly. A few minutes later, an email arrives, apparently sent by the CEO himself, confirming the transaction.

The accountant does what he is asked to do. In a few weeks, he makes 45 transfers. Total: €38 million. To accounts in Hungary, Portugal, and Croatia. The money disappears before anyone realizes it's a scam.

This story is about Sefri-Cime, a real estate developer. Eight people have been arrested since (including two in Israel), but only 3.9 million has been recovered. The accountant? Cleared by investigators. He simply trusted what appeared to be a legitimate request from his superiors.

This scenario could happen tomorrow in your company. Here's why and how to protect yourself.

The problem: your defenses are looking in the wrong place

For ten years, we have been training employees to spot phishing emails. Spelling mistakes, suspicious links, dubious attachments. And it works: according to Microsoft, Defender now blocks 99.995% of email threats.

The problem is that attackers have changed their strategy. They no longer send emails riddled with malicious links. They send perfectly clean emails, just text, a polite request, a professional tone. Or they call directly. Or they send a text message. Or they leave an iPhone cable "forgotten" in your meeting room.

These attacks do not trigger any technical alerts. They exploit the only vulnerability that your tools cannot fix: human trust.

In France, over the last five years: €485 million in reported losses from CEO fraud alone. 2,300 complaints filed. And these are only the reported cases; most companies prefer not to disclose such incidents.

Source: IRSM, Regional Public Finance Directorates

The president fraud: the attack that doesn't look like an attack

It is known as BEC (Business Email Compromise) in industry jargon, or "CEO fraud" or "FOVI" in France. The principle is extremely simple: impersonate someone trustworthy, such as a manager, lawyer, or supplier, and request an urgent transfer.

What makes this attack so effective is that it contains no technically malicious elements. No malicious links. No infected attachments. No malware. Just an email that says, "Please make this transfer urgently, it's confidential."

Your spam filters? They don't see anything unusual. Your antivirus? Nothing to scan. Your firewall? No need—there's no network intrusion.

Four French cases that could have been your company

Pathé, March 2018 — €19.2 million

The Dutch subsidiary of the French cinema group receives emails from "head office in Paris" requesting funds for an acquisition in Dubai. The CFO and local managing director make the transfers. When the fraud is discovered, they are fired. They then take Pathé to the labor court and win: they had no way of knowing that the emails were fake.

Agri-food company in Finistère, May 2024 — €65,000

An accounting assistant receives an email "from the president" requesting an urgent transfer. The attached document is described as "crude" by investigators. She transfers the money anyway. The Finistère gendarmerie recorded ten similar cases in 2023, four in the first half of 2024 in this department alone.

Saône-et-Loire department, 2023 — $350,000

Even public authorities are falling into the trap. The Regional Public Finance Directorate has since sent alerts to all retirement homes and nursing homes in France, which are prime targets because their control procedures are often less stringent.

Metallurgy company in Haute-Marne, December 2021 — €300,000

The investigation will reveal that it was the same network of fraudsters that targeted Sefri-Cime that same month. A call from Israel, a spoofed email, a transfer to Hungary. Same modus operandi, same professionalism.

When the phone becomes a weapon: vishing and voice deepfakes

Your phone rings. The number displayed is your bank's number, which you recognize as the same as the one on your card. On the other end of the line is someone who knows your name, your account number, and your latest transactions. They explain that fraud is in progress and that you need to "secure" your account immediately.

The technique is called spoofing: the scammer steals your bank's phone number. According to the Payment Security Observatory, these "manipulation frauds" cost French citizens €379 million in 2023.

The ruling that changes everything: Court of Cassation, October 23, 2024

A BNP Paribas customer had €54,500 stolen by a fake bank advisor. The bank refused to reimburse the customer, arguing that he had been "negligent." The case went all the way to the Court of Cassation.

Verdict: the bank must reimburse the victim. The judges ruled that "the method used—using a phone number identical to that of the bank advisor—was likely to gain the victim's trust."

Since October 1, 2024, French telecom operators have been required to authenticate landline numbers (MAN mechanism). However, mobile calls are not yet covered.

AI can now clone voices in seconds

2019. The British director of a subsidiary of a German energy group receives a call from his CEO. The voice is perfectly recognizable, with the German accent, tone, and usual turns of phrase. The CEO requests an urgent transfer of €220,000.

It wasn't his boss on the phone, but a synthetic voice generated by artificial intelligence. This was the first documented case of "deepfake voice" fraud. Since then, the technology has become widely available: all it takes is a few seconds of recording, a LinkedIn video, or a voice message to clone a voice.

CrowdStrike reports a 442% increase in vishing attacks between the first and second half of 2024.

💡 Practical countermeasure: establish a "code word" known only to the management team. Any urgent request made by phone must include this word; otherwise, hang up and call back using the usual number.

Tricky QR codes: when the danger comes from HR

June 2024. Several employees at Sophos, a cybersecurity company, receive an email about their "2024 retirement plan." The message contains a PDF with a QR code to scan "to confirm their information." The email appears to be from a colleague, the tone is professional, and the document expires in 24 hours.

An employee scans the code with their personal phone. The clone site asks for their Microsoft 365 credentials. They enter them. The attacker instantly retrieves the MFA token and attempts to access Sophos' internal systems. Only the company's additional protections prevented the intrusion.

Even a cybersecurity company got caught out. The problem: no one had trained the teams to be wary of a QR code in an internal PDF.

Why quishing is booming in the workplace

According to Recorded Future, executives are 42 times more likely to be targeted by QR code attacks than other employees. Barracuda detected more than 500,000 phishing emails with QR codes in PDFs over a three-month period (June-September 2024). And 90% of these attacks are aimed at stealing Microsoft or Google credentials.

What makes these attacks so dangerous:

The QR code moves the attack to the personal smartphone outside the company's security perimeter.

Email filters cannot analyze QR codes in images/PDFs ( Microsoft Defender has been able to do this since late 2024, but only for emails).

On mobile devices, the full URL is not visible, making it impossible to identify a fraudulent domain.

The HR/payroll excuse works every time —everyone opens an email about their "retirement plan" or "employee benefits."

The most common scenarios

Fake DocuSign/Adobe Sign: " Sign this document to validate your contract." The QR code leads to a fake Microsoft login page.

MFA notification: " Your two-factor authentication is expiring, scan to renew it."

Urgent HR document: update of bank details, vacation balance, employee benefits

Fake invoice/purchase order: " Approve this supplier payment"

⚠️ For your company: train your teams to NEVER scan a professional QR code with their personal phone. If a document requires action, it must go through the usual channels (HR portal, verified direct link).

The iPhone cable "forgotten" in your meeting room

Imagine this: you're traveling, your phone is almost dead, and you find a charging cable on the table in the meeting room. You plug it in. What you don't know is that this cable contains an invisible microcomputer capable of recording everything you type, injecting commands, and transmitting your data to an attacker located up to 2 kilometers away.

This cable exists. It's called O.MGCable. It looks like a standard Apple or USB-C cable, same size, same weight, same finish. The difference: a processor, a WiFi antenna, and a Linux operating system are built into the connector, invisible to the naked eye.

What a booby-trapped cable can do

Keylogger: records all your keystrokes, passwords, emails, and confidential documents

Command injection: executes scripts on your computer as if someone were physically typing on the keyboard

Remote access: creates an invisible WiFi hotspot allowing the attacker to connect at any time

Covering tracks: can remotely delete all evidence of its presence

Works on everything: Windows , macOS, Linux, iOS, Android

The most worrying thing is that no antivirus software detects it. The cable acts at the hardware level, not the software level. Your firewall, endpoint protection, and network security tools are all blind to it.

From state espionage to a tool for the general public

Ten years ago, such a cable cost $20,000 and was only available to intelligence agencies (the NSA model was called COTTONMOUTH-I). Today, the O.MG Cable sells for between $120 and $180 on websites specializing in IT security. Officially, it is intended for "penetration testing." In practice, it is available to anyone who wants to buy it.

Attack scenarios in companies

Meeting room: a cable "left behind" on the table is waiting for a visitor or colleague to plug it in.

Industrial espionage: a competitor or insider discreetly replaces the executive's cable.

Airports and hotels: traveling executives are prime targets

Corporate goodies: promotionalcables distributed at a trade show may be compromised

In 2023-2024, Mandiant documented the SOGU campaign: booby-trapped USB drives targeting pharmaceutical, IT, and energy companies. The drives contained malware that activated as soon as they were inserted, without the user having to click on anything.

💡 Countermeasures: ( 1) Never use a cable or USB drive whose origin you do not know. (2) Restrict USB ports via GPO or Intune. (3) Distribute "data blockers" (€10 each) to employees who travel; they block data transfer while still allowing charging.

Your employees feed AI with your secrets

April 2023. Samsung authorizes its engineers to use ChatGPT to speed up their work. In less than three weeks, three data leak incidents are detected:

• An engineer copies confidential Samsung source code to ask ChatGPT to fix a bug.

• Another submits optimization code to identify defects on semiconductors.

• A third converts the recording of an internal meeting into minutes via ChatGPT with all the strategic information it contained.

Result: Samsung has banned ChatGPT for all its employees and is now developing its own internal AI.

Why it's a real security risk

"But ChatGPT doesn't share my data with other users!" That's what most employees think. The reality is more nuanced:

Data is stored on servers belonging to OpenAI —a third-party American company subject to the Cloud Act.

By default, your conversations are used to train the models (unless you explicitly disable this option).

Researchers have proven that training data can be extracted. In November 2023, Google DeepMind and several universities demonstrated that a simple attack could retrieve information stored by ChatGPT, including emails and phone numbers.

In November 2025, Tenable discovered seven vulnerabilities in ChatGPT that allowed attackers to exfiltrate "memories" (the information ChatGPT retains about you) and your conversation history via prompt injection attacks.

What your employees really share

According to a study by Cyberhaven, 3.1% of employees using ChatGPT have submitted confidential data to it. For a company with 100 employees, this potentially represents dozens of leaks per month. The most common cases are:

• Source code and technical documentation

• Customer data (names, emails, contracts)

• Strategic documents (business plans, investor presentations)

• HR information (salaries, evaluations, personal data)

• Confidential meeting minutes

JP Morgan, Amazon, and Walmart have all restricted or banned the use of ChatGPT by their employees.

💡 What to do: ( 1) Define a clear policy on the use of generative AI. (2) Train teams on the risks of data leaks. (3) Consider on-premise AI solutions or APIs with training opt-out for sensitive uses. (4) Use tools such as Azure OpenAI Service where data remains in your tenant.

rnicrosoft.com: can you spot the difference?

Take a close look: rnicrosoft.com. It says "rn" (r then n), not "m." In most fonts, these two characters side by side look exactly like an "m." This fraudulent domain has been around since 2012 and has been used in countless phishing campaigns targeting Office 365 users.

This is known as typosquatting: registering domain names that are almost identical to well-known brands. Zscaler analyzed 30,000 of these fraudulent domains: 75% target Google, Microsoft, and Amazon.

The techniques used

Visual substitution: rn→m , vv→w, 1→l, 0→O

Cyrillic characters: the Cyrillic "а" is visually identical to the Latin "a."

Combosquatting: microsoft-support .com, office365-login.com

Common typos: gooogle .com, microsofr.com

💡 Concrete action: register typosquatted variants of your own domain name (with rn, vv, 0 instead of o). A few dozen euros per year to prevent an attacker from using them against you.

MFA fatigue: when two-factor authentication becomes the problem

September 2022. An Uber employee receives dozens of push notifications on his phone: "Do you approve this connection?" He refuses. They continue. He refuses again. They don't stop.

Then he receives a WhatsApp message from someone claiming to be Uber's IT support. Exhausted, he clicks "Approve." The Lapsus$ hacker group gains full access to Uber's internal systems.

Microsoft estimates that there have been 382,000 MFA fatigue attacks over the past 12 months. And 1% of users blindly approve the first unsolicited notification they receive.

The solution: Number Matching

Instead of a simple "Approve/Deny" button, Microsoft Authenticator displays a two-digit code. The user must enter this code on their phone. It is impossible to approve by mistake, as the login screen must be visible.

Activation: Entra ID > Protection > Authentication methods > Microsoft Authenticator > "Number Matching." Free, included in Business Premium, 5 minutes.

Microsoft 365 Business Premium: What's Covered, What's Not

Business Premium provides good protection for email, but leaves blind spots on phones, text messages, physical devices, and AI uses. For an SME with 50 to 500 employees, this is often sufficient , provided that it is supplemented by organizational procedures.

Action plan: the 12 measures that really matter

🔴 This week

1. Enable Number Matching on Microsoft Authenticator. 5 minutes, zero cost.

2. Protect VIPs in Defender: CEO, CFO, accountants, buyers.

3. Verify DMARC/SPF/DKIM on all your domains.

🟠 This month

4. Double validation procedure for all transfers over €5,000 or changes to supplier bank details.

5. Internal code word for urgent requests by phone.

6. AI usage policy: what can and cannot be submitted to ChatGPT & co.

7. Register squatted typo variants of your domain name.

🟢 This quarter

8. Multi-channel training: vishing, smishing, quishing, USB cables, AI—not just "don't click on links."

9. MDM on all smartphones that access company resources (Intune included in Business Premium).

10. Restrict USB ports via GPO or Intune or distribute data blockers.

11. Evaluate Azure OpenAI Service if your teams use AI for sensitive tasks.

The last word

The $38 million from Sefri-Cime was not stolen by hackers exploiting a technical flaw. It was transferred by an accountant who was simply doing his job, trusting what appeared to be a legitimate request.

That's the reality of cyberattacks in 2025: less technology, more manipulation. Your Microsoft tools block most technical threats. What they can't block are attacks that exploit human trust.

The good news is that these attacks are predictable, and the countermeasures are simple. They cost almost nothing. They just require taking the time to implement them.

Our latest articles

See more
Cybersecurity

Phishing in 2025: Why 82% of businesses will be phished this year (and how to avoid being phished)

Think your employees will never click on a phishing scam because you've "trained" them? 32% will click anyway, and this figure rises to 45% under stress or at the end of the day. Attackers no longer make spelling mistakes, they have your logo, your graphic charter, and information about your actual projects. A single click = €275k in average costs, 287 days to recover if it's ransomware, and 60% of SMEs affected close down within 6 months. We explain why blaming users is absurd, and which technical protections really work.
December 2, 2025
ModernWork
Cybersecurity
Data & AI

Microsoft Purview: The Complete Data Governance Solution for the Multicloud Era

Your teams spend 60% of their time looking for the right data, your CIO doesn't know where customer information is stored, and the next RGPD audit has you sweating. Microsoft Purview promises to solve these problems by unifying cataloging, security and compliance in a single platform. But is this really the silver bullet for your context, or a vendor lock-in trap in disguise?
December 2, 2025
Data & AI
ModernWork

Microsoft Copilot: Artificial Intelligence that Really Transforms Business Productivity (or Not)

Copilot at €30/month per head: strategic investment or €100k wasted on a tool that nobody uses? 70% of IT Departments buy without defined use cases, train their teams poorly, and discover 6 months later that a third of the licenses are never activated. We tell you how to calculate whether it's worth it BEFORE you sign, and which 5 use cases really pay off.
December 2, 2025