All posts
Threat Intel·4 min read·By aburgett

Threat Intel: Emerging Email Client Threats to Watch

Email and collaboration tools remain the number one attack vector in 2025. Threat actors are increasingly abusing trusted platforms like Google Workspace and Microsoft 365 to bypass traditional defenses, steal credentials, and hijack accounts.
Threat Intel: Emerging Email Client Threats to Watch

Why Email Clients Are Still the Weak Link 

Even with years of investment in advanced security controls, email continues to be the most effective way for attackers to reach end users. What makes today’s attacks particularly dangerous is the way cybercriminals exploit trust. Employees use Google Calendar, Microsoft Outlook, SharePoint, and Teams every day, often without questioning the legitimacy of what they see inside these platforms. Attackers know this, and rather than sending obvious malware or suspicious attachments, they now manipulate the very tools organizations rely on for productivity. 

This shift has made collaboration and email platforms an attractive attack surface. Instead of dropping malicious files, adversaries abuse features like calendar invites, direct email relay, and OAuth authentication prompts. The result is a wave of identity-driven attacks that evade traditional defenses and place organizations at significant risk. 

Top 3 Email Client Threats Explained 

Google Calendar Spoofing 

Attackers are increasingly abusing Google Calendar by sending spoofed event invitations that appear legitimate but contain malicious links. These often lead to Google Drawings or Forms that redirect victims to credential harvesting sites. Because the invite comes through a trusted platform, users are more likely to interact with it without hesitation. 

What This Looks Like 

  • Calendar invites from unknown senders 
  • Links embedded inside event descriptions 
  • Fake reCAPTCHA or “support” prompts 

How to Prevent It 

Organizations can reduce the risk by enabling “Known Senders” in Google Calendar, deploying advanced scanning tools that can inspect calendar-related traffic, and monitoring Workspace logs for anomalies. Just as importantly, educating employees to question unexpected or unusual invites helps prevent attackers from exploiting user trust. 

Microsoft 365 Direct Send Abuse 

Microsoft’s “Direct Send” feature, intended to simplify email routing, is being weaponized to bypass SPF, DKIM, and DMARC protections. Recent reporting shows 70+ organizations targeted, especially in finance, healthcare, construction, and education sectors. The result is phishing emails that appear to be sent from inside the organization, making them far more convincing than the typical external phishing attempt. 

What This Looks Like 

  • Internal-looking emails that reference voicemail or fax notifications 
  • Attachments labeled “Fax-msg” or “Play_VM-now” 
  • Outbound SMTP or PowerShell activity that seems out of place 

How to Prevent It 

Restricting or disabling Direct Send is one of the most effective steps organizations can take. Security teams should also monitor outbound SMTP activity, harden mail configurations, and enforce MFA to block attackers even if credentials are compromised. Regular awareness training ensures employees don’t automatically trust messages that appear internal. 

MFA Bypass via M365 Token Theft 

Perhaps the most concerning evolution in email client threats is the rise of MFA bypass through session token theft. Attackers use AI-driven phishing combined with Adversary-in-the-Middle (AiTM) tactics to intercept session cookies, which then allow them to impersonate users without ever needing their password. 

What This Looks Like 

  • Convincing but fake Microsoft login pages 
  • OAuth consent prompts requesting unusual access levels 
  • Concurrent logins from geographically distant IPs 
  • Unexplained MFA resets or abnormal SharePoint/OneDrive activity 

How to Prevent It 

Defending against token theft requires layered security beyond MFA. Conditional access policies, continuous monitoring of login behaviors, and adaptive identity protections are critical. When possible, disable self-service OAuth consents. Security awareness also plays a key role as employees should understand that even MFA can be bypassed under the right conditions and remain alert to unusual prompts or requests. 

The Bigger Picture 

All three of these threats demonstrate the same theme: attackers are weaponizing trusted platforms and features against users. Rather than relying on malware-heavy campaigns, adversaries are focusing on credential theft, session hijacking, and platform abuse. 

This means organizations cannot rely on MFA alone. Effective defense now requires layered monitoring, advanced analytics, and continuous user education to stay ahead of identity-focused attacks. 

How ArmorPoint Helps Organizations Stay Ahead of Email Client Threats

At ArmorPoint, we see these patterns unfold across client environments daily. Our Managed SOC services provide: 

  • 24/7 monitoring of email, calendar, and collaboration tools 
  • SOC-driven investigation and response to anomalies like suspicious logins or SMTP activity 

By pairing visibility with real-time intelligence, ArmorPoint helps organizations cut through the noise and stop attackers before credentials are stolen or sessions are hijacked. 

Conclusion 

Email client threats are evolving quickly, and they are no longer limited to suspicious attachments or obvious spam. Attackers now exploit the everyday tools employees rely on: calendar invites, internal-looking emails, and even authentication tokens. The takeaway is clear: security strategies must adapt to this new reality. 

Organizations that combine layered defenses with continuous monitoring and strong user awareness will be better prepared to face these identity-focused attacks. Partnering with a trusted provider like ArmorPoint ensures that even as attackers innovate, your defenses evolve right alongside them. 

Ready to learn how ArmorPoint can help secure your email and collaboration tools and prevent you from falling victim to these common email client threats? Request a demo