Publish Date:18/6/25
MFA alone is no longer enough.
At EVCO Services, we’ve been investigating a recent wave of account compromise attempts. These are not your run-of-the-mill phishing emails. They are well-crafted, targeted and increasingly difficult to catch.
The real threat? Attackers are using tools like Evilginx to intercept session tokens from real Microsoft login pages. That means even with MFA in place, they can slip through.
So what is stopping them?
Conditional Access. And it is doing the job.
Here is how:
Location-based rules
Most of these attempts originate outside the UK. Conditional Access policies block them before they even reach the login screen. When they switch to the US, it is still considered out of bounds.
Device compliance
If the device is not trusted and managed, it will not gain access. Full stop.
Email filters?
Even the best filters can let phishing links through when attackers use legitimate services like Adobe or Dropbox. The URLs look clean but the intent is not.
Conditional Access is doing the heavy lifting, and doing it well. It is precise, adaptive and essential in a landscape where traditional defences can be bypassed.
If your current strategy relies solely on email filtering and MFA, it is time to evolve. Zero Trust is not just a concept. It is a framework, and Conditional Access is a key part of putting it into practice.
Need help reviewing your Microsoft 365 security posture? We are here to support you.
#CyberSecurity #Microsoft365 #ConditionalAccess #ZeroTrust
