Microsoft has recently published a report detailing the latest trends in phishing and social engineering attacks targeting enterprise environments. As security tools like multifactor authentication (MFA), passwordless authentication, and advanced email protections become more widespread, threat actors are adapting with more sophisticated techniques to steal credentials and compromise cloud identities. The report highlights emerging methods such as adversary-in-the-middle phishing using tools like Evilginx, device code abuse, OAuth consent phishing, and phishing campaigns designed to trick users into registering attacker-controlled devices within corporate networks. Attackers are also exploiting trusted platforms like Microsoft Teams and social media channels to deliver lures and have begun using generative AI to craft highly convincing phishing messages, making social engineering harder to detect. Microsoft emphasizes a layered defense strategy that includes phishing-resistant MFA, Conditional Access policies through Entra ID Protection, restricted OAuth app consent, and user education through phishing simulations. Additionally, solutions like Global Secure Access are recommended to manage and secure access across networks, identities, and endpoints. With phishing responsible for nearly a quarter of initial access cases Microsoft investigated over the past year, the article underscores the urgency of shifting to Zero Trust principles and hardening identity defenses across the enterprise. For a deeper dive into these evolving threats and Microsoft’s full set of defense recommendations, you can refer to the Microsoft article.