Everyone's heard spear phishing examples involving fake invoices or urgent payment requests, but the actual breach happens after the click. The phishing email was just the entry point. The real damage unfolds when attackers move laterally through SharePoint, OneDrive, and Teams without anyone noticing. An attacker logs in with a stolen session token, bypasses MFA using adversary-in-the-middle techniques, and quietly sets up persistence through inbox rules and rogue apps. They read emails, map out organizational hierarchy, and wait for the right moment to exfiltrate data or redirect a wire transfer.
TLDR:
- Phishing is the most common and most costly initial attack vector in data breaches, per IBM's 2025 report
- MFA-bypass attacks surged 146% between November 2023 and 2024, using session token theft techniques
- The average cost of a data breach is $4.4 million per incident, according to IBM's 2025 report
- Petra Security stops M365 phishing breaches in under 2 minutes with automated containment
What is phishing, and how does it work?
Phishing is a type of cyberattack in which someone impersonates a trusted entity to trick people into handing over sensitive information, like identity credentials. That might mean clicking a malicious link, entering login credentials on a fake page, or approving a fraudulent transaction. The attacker doesn't need to hack anything. They need someone to make one mistake.
At its core, phishing is a form of social engineering. Attackers craft emails, texts, or even phone calls that mimic legitimate sources like a bank, an IT department, or a coworker. Generative AI has made these lures harder to detect, producing context-aware messages that clear technical filters and feel indistinguishable from real correspondence. The goal is to get the recipient to act before thinking. Because modern attacks frequently use adversary-in-the-middle (AitM) kits to steal session tokens instead of just passwords, a single mistake can bypass even MFA, giving an attacker a persistent foothold to move deeper into an organization's systems and turning one moment of misplaced trust into a full-scale data breach.
How phishing leads to data breaches
Once an attacker has stolen credentials or a hijacked session token, the phishing email itself becomes the least interesting part of the story. What follows is a chain reaction.
The attacker logs in, often from a cloud datacenter IP, and begins quietly surveying the compromised mailbox. They read emails, identify financial contacts, and look for anything worth exploiting. Session tokens and OAuth permissions are now just as valuable to attackers as the password itself. A stolen token grants full authenticated access without credentials, and a rogue OAuth app maintains that access even after a password reset. If the account has broader permissions, they move laterally across SharePoint, OneDrive, or Teams, often without triggering a single alert.
According to IBM's 2025 Cost of a Data Breach Report, phishing is the single most common initial attack vector globally. It's also the most expensive, averaging $4.4 million per incident. But the breach doesn't happen at the click. It happens in the hours, days, or weeks afterward, when an attacker moves undetected through an environment, exfiltrating sensitive data or setting up wire fraud. One compromised account is all it takes to move laterally across an organization, and from there, attackers can escalate to higher-privileged accounts and expose the entire environment.
Types of phishing attacks that cause breaches
Not every phishing email looks the same, and the breach pathway varies by variant.
- Spear phishing targets specific individuals with personalized messages that often reference real projects or colleagues. Because the emails appear legitimate, they're the most common entry point for credential-harvesting campaigns that lead to ransomware deployment or data exfiltration.
- Business email compromise (BEC) skips malware entirely. Attackers use a compromised account to send fraudulent payment requests or redirect wire transfers, often netting six or seven figures before anyone notices.
- Whaling attacks target C-suite executives and senior leadership, where a single compromised account can unlock access to board communications, M&A documents, and financial systems.
- Credential harvesting at scale uses fake login portals to collect hundreds of username and password pairs, which attackers then sell or use to breach multiple organizations simultaneously.
Each variant exploits a different weakness, but they all share the same starting point: someone trusted the wrong message.
Real-world phishing attack examples and their impact
Some of the largest financial losses in recent history stem from a single phishing or BEC email.
Incident
What happened
Impact
Google and Facebook (2013 to 2015)
The attacker impersonated a hardware vendor using fake invoices
Over $120 million stolen
Ubiquiti Networks (2015)
BEC attackers impersonated an executive via email, tricking the finance team into wiring funds to fraudulent overseas accounts
$46.7 million in fraudulent wire transfers
Crelan Bank (2016)
BEC attack impersonating senior executives
Roughly $75.8 million in fraudulent wire transfers
Each of these organizations had security budgets, trained staff, and defenses already in place. What they lacked was a way to catch the attacker after that first credential was compromised. The phishing emails cost almost nothing to send. The consequences ran into the hundreds of millions once regulatory penalties, business downtime, and reputational damage were factored in.
How MFA bypass attacks escalate breach severity
MFA was supposed to be the safety net. For years, it was. But attackers adapted.
Adversary-in-the-middle (AitM) phishing pages now sit between the victim and the real login portal, relaying credentials in real time and intercepting the session cookie issued after MFA approval. The attacker doesn't need the password in the long term. They don't need the MFA code again. They have the authenticated session itself, and that token grants full access until it expires or gets revoked.
Between November 2023 and 2024, MFA-bypass phishing attacks surged 146%, per Microsoft's 2024 Digital Defense Report. AitM toolkits are cheap, widely available, and effective against most standard MFA methods, excluding phishing-resistant options like FIDO2 hardware keys. Once an attacker captures a valid session token, they log in from their own infrastructure, and the identity provider treats them as the legitimate user. No second prompt, no suspicious login warning.
"We'd thought [attacks] were being caught fast, but we had a rude awakening, and now we know what fast really looks like." - David Xiong, M Cubed
This is how a single phishing click on an MFA-protected account can still result in a full breach.
The financial impact of phishing-caused data breaches
The numbers are staggering. According to IBM's Cost of a Data Breach Report 2025, the average cost of a data breach stands at $4.4 million per incident.
Those figures bundle together more than most people realize:
- Wire fraud and stolen funds from BEC schemes
- Incident response and forensic investigation fees
- Regulatory fines under frameworks like HIPAA and GDPR
- Lost revenue during business downtime
- Long-term reputational damage that erodes customer trust
What starts as a single fraudulent email spirals into legal fees, compliance remediation, and sometimes years of brand recovery. The phishing email itself costs an attacker almost nothing. The receiving organization pays for everything that follows.
How to spot phishing emails before they cause breaches
Catching a phishing email before anyone clicks takes pattern recognition. Watch for these red flags:
- Urgent or threatening language pressuring immediate action, such as account suspension notices or fake payment deadlines
- A display name that looks right, but an email domain that doesn't match the supposed sender's organization
- Links where the visible text differs from the actual URL when you hover over them, often swapping a single character or adding a subdomain
- Unexpected attachments from senders who don't normally send them, especially compressed files or documents with macros
- Subtle grammatical errors or odd phrasing that feels slightly off, which can signal a hastily crafted or translated message
- Any email requesting credentials, payment changes, or sensitive data without prior context or a verification step should be treated as suspicious
If a suspicious email lands in someone's inbox, the right move is to avoid clicking anything, report it to the security team immediately, and verify the sender through a separate channel like a phone call.
Tools and strategies to prevent phishing attacks in your organization
Stopping phishing requires layered defenses, not any single product.
- Deploy email security gateways that filter malicious links and attachments before they reach inboxes
- Implement phishing-resistant MFA like FIDO2 hardware keys, which can't be intercepted by adversary-in-the-middle proxies
- Enforce DMARC, SPF, and DKIM email authentication protocols to prevent domain spoofing
- Run regular anti-phishing simulations so employees build real muscle memory around suspicious messages
- Maintain a documented incident response plan that specifies exactly who does what when a phishing report comes in
- Use identity threat detection tools that monitor post-compromise behavior across your environment, catching attackers who slip past every other layer
No training program catches everything. No email filter is perfect. The organizations that avoid breaches are the ones with detection and response capabilities that kick in the moment someone inevitably clicks.
How Petra Security stops phishing breaches in under 2 minutes
The credential theft, lateral movement, inbox rule persistence, and token replay map directly to what Petra monitors across every Microsoft 365 tenant it protects.
When an attacker logs in with a stolen session token, Petra flags the behavioral deviation in real time across Entra ID, Exchange, SharePoint, OneDrive, and Teams. With Petra Response active, containment occurs automatically: sessions are revoked, the compromised account is locked, phishing emails are removed from every mailbox in the tenant, and persistence mechanisms such as rogue OAuth apps and malicious inbox rules are shut down. When the threat is clear, all containment actions are reversible with a single click.
CyberStreams averaged 1:41 to containment across 36 stopped attacks. M Cubed found 7 attackers on day one that their previous tool never caught. At BNMC, a CEO account had been actively compromised for 29 days with no alert from their prior tool. The attacker had added a malicious MFA method, accessed the account from multiple IPs, and was preparing an invoice fraud campaign against external contacts before Petra surfaced it. If you're an MSP running Microsoft 365 environments, you can see what Petra finds with a free Scan.
Final thoughts on how phishing causes data breaches
Knowing how phishing causes a data breach doesn't help unless the attacker can be stopped once they're inside the environment. Training and email security buy time, but post-compromise detection is what actually prevents the million-dollar incident. Book a demo to see what Petra catches after credentials get stolen. Petra's team walks through real-world attack timelines, and most organizations recognize familiar gaps in their current setup.
FAQ
Can phishing bypass MFA and still cause a data breach?
Yes. Adversary-in-the-middle (AitM) phishing attacks intercept session tokens after MFA approval, granting attackers full access without needing passwords or MFA codes again. These attacks increased by 146% between November 2023 and 2024, and stolen session tokens often persist after password resets, allowing attackers to maintain access even after victims change their credentials.
What should I do if I suspect I've received a phishing email?
Do not click any links or attachments in the message. Report it to your security team immediately and verify the sender's identity through a separate communication channel, like a phone call. Avoiding interaction with the suspicious email prevents credential theft and stops the attack before it can escalate into a breach.
Phishing training vs technical controls: which prevents breaches more effectively?
Technical controls win. No training program catches everything, and even well-trained employees make mistakes under pressure. Organizations that avoid breaches layer email security gateways, phishing-resistant MFA like FIDO2 keys, and identity threat detection tools that monitor post-compromise behavior across their environment, catching attackers who slip through other defenses.
How can a phishing attack on a regular user account result in horizontal escalation of privileges?
A compromised regular user account provides attackers with a foothold for lateral movement across Microsoft 365 services such as SharePoint, OneDrive, and Teams. Attackers read emails to identify additional targets, register rogue OAuth apps for persistence, and use trusted internal communications to phish other employees, expanding their access without ever needing administrative credentials initially.
What's the primary goal of most phishing attacks that lead to data breaches?
The primary goal is to steal credentials and session tokens to gain persistent access. Once attackers have a valid session, they quietly exfiltrate sensitive data, set up wire fraud schemes, or deploy ransomware over days or weeks. Phishing is the most common and most costly initial attack vector in data breaches, per IBM's 2025 Cost of a Data Breach Report.