A fast-moving wave of account takeovers is hitting Gmail, Outlook, Microsoft Teams and Slack, and the message from security firms is blunt: multifactor authentication is no longer a firewall if attackers control the session. A new round of AI-fueled phishing and consent attacks, capped by a fresh kit known as Astaroth that hijacks tokens in real time, is shifting risk squarely onto the daily tools that power enterprise work. For Microsoft, Alphabet and Salesforce, the reputational and regulatory stakes are rising alongside security spend.
A new report from KnowBe4 says 96% of organizations struggle to secure the human element, with incidents tied to human behavior up 90% this year. Email remains the biggest door in, with 57% of incidents tied to mail and Outlook and Gmail accounts drawing 90% of attacks. But messaging apps are catching up fast as attackers pivot to channels that masquerade as trusted internal traffic. The red flags that defined the last decade of phishing training are being erased by AI. Bryan Palma, KnowBe4’s CEO, put it plainly: AI is now on both sides of the coin. It makes bad actors faster and more personal, and it gives defenders new tools too. The immediate problem is the former.
Audio deepfakes and crisp, context-aware prompts have supercharged old-school vishing and social engineering. A convincing voice clip posing as a CFO can close a bogus wire request in minutes. And once an attacker lands even a single set of credentials, modern collaboration suites offer an internal distribution network that looks legitimate to users and too often to security tools. Traditional detections tuned for unusual human behavior struggle when automated agents and compromised identities are doing exactly what they are permissioned to do.
The latest escalation is the live interception of sessions. The Astaroth phishing kit, observed in the wild in the past 24 hours, hijacks tokens and session cookies as victims log in, undermining the protections of one-time codes and push approvals. That means the attacker can ride an authenticated session without ever “breaking” MFA. It is a direct hit to the perceived safety of two-step logins on Gmail, Outlook and other SSO-backed apps.
The risk does not end there. OAuth consent phishing is moving quickly across Microsoft 365 and Teams. In these attacks, users are tricked into authorizing a malicious app, granting it persistent access to Outlook, SharePoint or OneDrive data. Because consent sits downstream of the login, even strong MFA will not save you from a bad grant. Pair that with session hijacking and the attacker has both the keys and the valet. Google, for its part, acknowledged this week the challenge of agentic AI spinning up convincing content and autonomous actions. The old question of who clicked the link is giving way to a new one: who is watching the agents?
KnowBe4’s data points to a shift. Once inside a real account, attackers do not need to spoof anything. In Teams or Slack, a message from a compromised colleague carries the trust of the logo and the name. Every link, every file rides the credibility of an internal identity. That makes messaging platforms an efficient delivery system for AI-written lures and malware-laced documents that sail past the skepticism users reserve for unknown email addresses.
Decades of training employees to scrutinize email headers do not translate to collaboration tools where the sender looks familiar and the context looks routine. A quick favor ping. An updated invoice. A new policy. And increasingly, these lures are not coming from human impostors but from compromised automations and AI agents with legitimate roles, authorized to file tickets, approve expenses or provision access. As Palma warned, when agents hold powerful permissions and traditional tools miss non-human anomalies, governance becomes the failure point.
Microsoft is moving to add friction. Starting in September 2025, Teams will roll out real-time link warnings that flag messages containing URLs tied to phishing, malware or spam. The company is also pushing published best practices: tighten external contacts, avoid unknown attachments, and report suspicious messages. Useful, but insufficient on their own. The window between today’s attacks and tomorrow’s controls is wide open.
That gap is why behavioral platforms are racing to cover multiple channels at once. Vendors are extending detection beyond email into Teams, Slack and Zoom, looking for abnormal patterns across identities and devices rather than single-message heuristics. It is the right direction, but it assumes the enterprise has already done the unglamorous work: hardening identity, shrinking token lifetimes, and constraining app permissions. As AI makes it trivial to spin up convincing fake domains and personas, the privilege model becomes the real castle.
For Microsoft, Google and Salesforce, the risk is less about a technical shortcoming and more about the integrity of their workplace ecosystems. Collaboration platforms are where work happens, and trust is their currency. A string of high-profile account takeovers that lead to data loss or wire fraud can draw regulatory attention and push enterprise customers to demand tighter defaults and clearer controls. Expect pressure on roadmap timelines and on how aggressively these platforms gate risky features by default.
Security budgets, meanwhile, have a clear catalyst. Breaches and fraud tied to identity and session abuse are the fastest way to justify incremental spend on zero trust access, identity protection and consolidated, multi-channel detection. That favors companies selling integrated identity-defense suites, from endpoint to email to collaboration. Names focused on behavioral analytics and identity threat detection stand to benefit, even as they must prove they can stop consent fraud and non-human traffic. Okta’s prior stumbles show identity vendors are not immune to trust erosion. Microsoft’s growing security revenue underscores that platform-native controls will be judged not by features announced but by the speed and breadth of adoption across the tenant base.
Treat MFA as necessary but not sufficient. Move to phishing-resistant factors like FIDO2 passkeys wherever possible, enforce conditional access with device trust, and cut session lifetimes to reduce token replay value. Disable legacy protocols and block basic auth. Lock down OAuth by requiring admin approval for third-party app consent and strip unused permissions. In Teams and Slack, default to deny on external tenants and turn on link scanning where available.
Monitor sessions continuously and verify device posture before granting sensitive actions, not just at login. Train employees on multi-channel attacks, including what an internal Teams or Slack phish looks like. Update finance playbooks so a voice call, even with a familiar voice, is never sufficient authorization for urgent payments. And inventory AI agents and automations like any privileged service account. If a bot can open tickets or approve expenses, it needs strong governance, logging and revocation plans.
Attackers are exploiting the same scale advantages enterprise software delivers to legitimate users. AI erases telltale mistakes and accelerates social engineering across email and chat, while kits like Astaroth make live session theft routine. The result is a widening gap between perceived and actual protection from MFA. Microsoft’s upcoming link warnings in Teams will help, but the threat clock is running now. Investors should watch not only for headline breaches but for how quickly platform providers tighten defaults and how forcefully customers adopt identity-first controls. The industry’s next governance debate is not about passwords or links. It is about who is watching the agents.