Every item below addresses a specific, real attack pattern that is active globally in 2026. These are not theoretical. You will find linked examples of each in the incidents covered elsewhere on this hub.

Do this today

Change your work password — make it unique

Your work account password must be different from every other password you use. Attackers test leaked passwords from personal website breaches against Microsoft 365 automatically — thousands of attempts per hour. If you have ever used the same password elsewhere, assume it is already being tested against your account.

  • Use at least 16 characters — longer is stronger
  • Combine uppercase, lowercase, numbers, and symbols
  • Do not use your name, company name, or anything personal
  • Use your password manager to generate and store it — do not try to remember it

Source: CISA — Use strong passwordsNCSC — Password guidance

The most important rule

Never approve an MFA request you did not start

An MFA approval notification only appears when someone is actively trying to log in as you. If you did not just open a login page, someone else triggered it. Approving it gives them full access to your account — instantly, even if they do not know your password directly.

  • If you receive an unexpected MFA prompt: press Deny or "No, it's not me"
  • Report it to the security team immediately — even if it was just one prompt
  • If you receive repeated prompts, do not approve to make them stop — that is called MFA fatigue and is a deliberate attack technique
  • Change your password afterwards

Source: Microsoft — MFA number matching • Verizon DBIR 2025 — MFA fatigue attacks up 217% YoY

If you did not initiate it —
deny it and report it.

An MFA request is not a notification. It is someone asking for your approval to enter your account.

Stop password reuse

Use a different password for every single account

When a website is breached — a shopping site, a forum, a social media platform — attackers take the leaked passwords and test them against Microsoft 365, banking sites, and VPNs automatically. This is called credential stuffing, and there are an estimated 26 billion attempts per month globally.

  • Your work password must not appear on any personal website, ever
  • Use your password manager (RoboForm is already available at FBM) to generate a unique password for every account
  • Check if your personal email has been breached: haveibeenpwned.com — it is free and takes 10 seconds

Source: Fortinet 2025 — 26B credential stuffing attempts/month • Verizon DBIR 2025 — stolen credentials in 22% of all breaches

5 minutes to do

Remove unfamiliar browser extensions

Browser extensions have access to everything you type and every page you visit — including login forms, passwords, and banking pages. Several major 2026 breaches began with a malicious browser extension. The Context AI Chrome extension involved in the Vercel breach embedded OAuth grants that read users' Google Drive files.

  • In Chrome: Menu → Extensions → Manage Extensions — review every one
  • In Edge: Menu → Extensions → Manage Extensions
  • Remove anything you did not consciously install, do not recognise, or no longer use
  • Do not install extensions from unofficial sources or at the request of pop-ups

Source: Context AI Chrome extension — Vercel breach, The Hacker News 2026

Personal devices matter

If you ever used a personal device for work — scan it

Infostealer malware on a personal laptop can extract work credentials and session tokens even if your work computer is fully protected. The malware does not care which network you are on. If you have ever logged into Microsoft 365, Teams, Outlook, or any work system from a personal device, that device is part of your security perimeter.

  • Run a full antivirus scan on any personal device used for work access
  • Windows: use Windows Defender (built in) — run a full scan, not a quick scan
  • Do not store work passwords in personal browsers
  • Avoid downloading software from unofficial or cracked sources on any device
  • If you suspect a device is infected, do not use it for work access — contact IT

Source: SpyCloud 2026 — 276 million credentials with active session cookies exposed in 2025 • IBM Cost of a Breach 2025

Know before you need it

Know exactly who to contact — and contact them fast

The difference between a contained incident and a full breach is often measured in minutes. When something looks wrong, most people wait — hoping it will resolve itself, or worrying they will look foolish for reporting a false alarm. There are no false alarms. Contact security immediately, every time.

  • Save [email protected] in your contacts now — before you need it
  • Report: unexpected MFA prompts, emails you did not send, login alerts from unfamiliar locations, inability to access your account, anything that simply feels wrong
  • Do not wait until the next working day — contact IT out of hours if needed
  • You will never be criticised for reporting something that turns out to be nothing
✅ You are done — here is what you just protected against
  • Step 1 — Credential stuffing attacks using your reused password
  • Step 2 — MFA fatigue attacks (Storm-2372 style, April 2026)
  • Step 3 — Cross-site password reuse exploitation
  • Step 4 — Malicious browser extension credential harvesting (Vercel/Context AI style)
  • Step 5 — Infostealer malware on personal devices (Lumma Stealer, RedLine, Raccoon)
  • Step 6 — Delayed detection allowing attacker dwell time (average: 246 days without reporting)

Questions? [email protected]fbmgaming.com