Google Cloud-Aided Phishing Steals Microsoft 365 Logins: Practical Defences for UK SMEs in 2026

Phishing is evolving in a way that particularly affects UK SMEs: criminals are increasingly using trusted cloud services to make scam emails and links look legitimate, then harvesting Microsoft 365 usernames and passwords. This matters now because one stolen login can lead to invoice fraud, data exposure, and weeks of disruption—without any obvious “hacking” on screen. Here’s what this latest technique means for UK small businesses and what to do next.

Why This Matters for UK SMEs 

This matters to UK SMEs today because Microsoft 365 is often the “front door” to email, files, Teams chats, and customer data—and attackers know it.

Key business risks for UK small businesses include:

* Payment diversion and invoice fraud: compromised mailboxes are used to intercept or redirect payments.

* Operational downtime: account lockouts, remediation work, and halted workflows can stop billing and delivery.

* Regulatory exposure: personal data in email or SharePoint can trigger GDPR reporting obligations and ICO scrutiny.

* Reputational damage: customers lose confidence when your email account is used to scam them.

* Supply chain consequences: larger clients may increase security checks or pause work after an incident.

Authoritative Insight

Cloud-based phishing is rising because it exploits something we all do at work: we trust familiar brands and common platforms. Recent reporting by Malwarebytes (2026) describes a phishing campaign that abuses Google Cloud services as part of the lure and delivery chain to capture Microsoft 365 logins, making the journey to the fake sign-in page look more credible than the “obviously dodgy link” many staff are trained to spot.

This fits with the wider UK picture. The UK Government Cyber Security Breaches Survey (2024) consistently finds phishing as one of the most common and disruptive attack types for businesses, especially smaller firms that rely on email and cloud services for day-to-day operations.

NCSC guidance (2024) continues to stress that strong account security, secure configuration, and practical staff awareness are core controls for reducing real-world risk with ICO guidance (ongoing, reflected in recent enforcement expectations) makes it clear that organisations handling personal data must implement appropriate security measures and be prepared to manage incidents responsibly.

The practical takeaway for UK SMEs is simple: you can’t rely on “spot the bad link” alone when criminals can route lures through well-known cloud infrastructure. You need layered controls that assume some clicks will happen.

SME-Specific Impact 

This type of phishing hits UK SMEs harder because SME realities change the risk profile.

For UK SMEs, common traits that increase exposure include:

* Limited in-house IT: you may have an outsourced IT provider, but not someone watching email threats daily.

* High dependence on Microsoft 365: one account can unlock email, OneDrive, SharePoint, Teams, and password resets.

* Small finance teams: your bookkeeper or finance manager may be juggling approvals at speed—prime conditions for fraud.

* Informal processes: supplier bank-detail changes or urgent payments may be confirmed via email without a second channel.

* Shared admin access: SMEs sometimes reuse admin accounts or skip least-privilege because it “keeps things simple”.

* Tight budgets, fast decisions: the upside is you can deploy a few high-impact controls quickly—if you prioritise well.