Title image above is copyright © Optimate Group Pty Ltd

First published 16th December 2025

This is very important to be on the alert for if you use Microsoft 365 and Outlook.

(By way of context: The vast majority of you won’t even know this, but we (Optimate) run our own server and hosting business — as far removed from plants as you could get! This is the only reason I know of this incident. I am simply spreading this information as a public service announcement by as many means as possible.)

A lady’s client was receiving “updated” invoices allegedly from the lady, but with different bank details. It was only that client ringing to confirm the change that alerted her.

The lady has multifactor authentication (MFA) and the authenticator app which always asks her to approve any logins to her account, yet she didn’t receive any notifications. Nor did she find anything in her sent or deleted folder, and thus she didn’t suspect that she had been hacked.

She additionally has Microsoft Defender scanning her devices daily, and with real time protection turned on. Both of these are supposed to detect these things in real time.

Further, she doesn’t use public wi-fi, is not on social media (with exposure to ad links), has good spam filters, and is very vigilant about suspicious emails that do get through.

She had done everything right, and we too thought at first that it may have been either a spoofing attempt, or that the client had been hacked and her details obtained that way, to be sent to the client.

Unfortunately, she had been hacked. (A ‘RedirObfuse’ trojan was later found on her machine, though it isn’t known how it got there, and it could have been sleeping for who knows how long.) Luckily it was “only” by what appears to be a lazy script kiddie. Things could have been much, much worse.

She had been hacked and the hacker (sorry, lazy script kiddie) was able to simply bypass the Microsoft MFA altogether. This MFA had created a false sense of security and was easily circumvented.

In a way this lady was “lucky”, in that an obviously lazy script kiddie made use of a trojan. More serious types use other means, and in no particular order here are three pages that explain their methods:

There are signs to be on the alert for should this happen to you. For example: Signs Your Microsoft Account Is Hacked – And What To Do.

Microsoft Support was incredibly prompt and helpful for this lady, and she couldn’t sing their praises highly enough. With their help she found and removed a rule the hacker had set up that sent any emails from the client to Archives, and they also showed her how to use Defender to monitor her account more effectively.

Perhaps it is worth your time if you are a paying 365 and Outlook subscriber to contact Microsoft Support and ask them to give your account a thorough health check and to walk you through how to monitor it in the future too?

I sincerely hope this has been helpful.