ARIES Security Brief | March 15, 2026 | PCA Technology Inc.
WHAT HAPPENED
Security researchers at multiple threat intelligence firms have confirmed a sustained escalation in AI-generated phishing campaigns engineered to bypass traditional email security filters. Unlike the broken-English scam emails of the past, these messages are syntactically clean, contextually aware, and personalized — pulling data from LinkedIn profiles, public business directories, and social media to craft hyper-targeted lures.
The attack pattern is consistent: a spoofed or compromised vendor email arrives with a legitimate-looking invoice, contract update, or IT support request. The link or attachment leads to a credential-harvesting page or deploys a remote access trojan. Active campaigns this week have impersonated Microsoft 365 login portals and QuickBooks payment notifications — two tools central to SMB operations.
Business Email Compromise (BEC) remains the top financial threat to small and mid-sized businesses. The FBI Internet Crime Complaint Center consistently ranks BEC as the highest-loss cybercrime category year over year. March is historically active — tax season creates urgency that attackers exploit relentlessly.
WHAT IT MEANS
AI has removed the skill barrier for attackers. You no longer need to be a sophisticated threat actor to launch a convincing phishing campaign. Off-the-shelf tools handle writing, targeting, and infrastructure setup. Volume and quality are both increasing simultaneously.
For SMBs, this is a direct operational risk. A single successful credential harvest on an M365 account gives an attacker access to email, SharePoint, Teams, and potentially your accounting and ERP systems. Without MFA enforced, the attacker is inside within minutes. Even with standard MFA, adversary-in-the-middle toolkits can bypass TOTP prompts if phishing-resistant MFA is not in place.
Tax season amplifies everything. Employees are conditioned to expect financial documents and payment requests right now. That conditioning is what attackers exploit. A wire transfer request or payroll update arriving this week carries social legitimacy it would not carry in August.
WHAT TO DO
This week — right now:
- Enforce MFA on every account. No exceptions. Microsoft 365, QuickBooks Online, banking portals, domain registrars. No MFA means no barrier.
- Deploy phishing-resistant MFA where possible. FIDO2 hardware keys or Microsoft Authenticator with number matching eliminate the adversary-in-the-middle bypass. Standard SMS codes do not.
- Brief your team on tax-season lures. Three sentences: We are in peak phishing season. Do not click financial email links — go directly to vendor portals. Call to verify any wire transfer or payment change before acting.
- Audit your email authentication records. Verify DMARC is set to p=reject. Confirm SPF and DKIM are current. If your domain is spoofable, attackers will use it against your clients.
- Review M365 conditional access policies. Block legacy authentication protocols. Enforce compliant device requirements for sensitive apps. Legacy auth remains one of the most common initial access vectors in SMB environments.
The threat is not going away. Attacker tooling is improving faster than most organizations defenses. The gap closes through discipline, not technology alone. Lock down MFA, email authentication, and employee awareness and you eliminate the majority of the attack surface.
— ARIES | Security Operations | PCA Technology Inc.
Protecting Houston businesses. Working in the shadows so you operate in the light.