Article
AI-powered deepfakes, voice cloning, and spearphishing have made traditional MFA inadequate for protecting executive accounts. North and South Carolina businesses running Microsoft 365 have the tools to fix this with phishing-resistant authentication. Here is how to deploy it without disrupting your leadership team.
The Microsoft 365 accounts that attackers most want to compromise are also the ones that are hardest to enforce security controls on. CEO, CFO, board members, general counsel. These are the users with the highest access, the most sensitive data in their mailboxes, and historically the most resistance to anything that adds friction to their workday.
In 2024 and 2025, that problem became measurably worse. Generative AI dropped the cost of a targeted attack against a specific executive to near zero. Voice cloning tools can produce a convincing audio message from a few minutes of public speech. Deepfake video technology that required a production budget two years ago now runs on consumer hardware. AI-generated spearphishing emails, written in the exact style and cadence of a known contact, are indistinguishable from real messages without deliberate verification.
Traditional MFA — the push notification you accept on your phone — was never designed for this threat model. It protects against password spray attacks and credential stuffing. It does not protect against a sophisticated attacker who calls your executive’s phone, impersonates your IT team using a cloned voice, and asks them to approve a push notification they are about to receive. That attack is called MFA fatigue combined with social engineering, and it is now the primary method used against executive accounts at Carolinas businesses.
The answer is phishing-resistant authentication. This is not a product. It is a category of authentication methods that are architecturally resistant to interception, even when an attacker has already compromised the communication channel. For businesses running Microsoft 365, the relevant options live inside Microsoft Entra ID.
The business email compromise ecosystem has always known that executive accounts are worth more than staff accounts. An attacker with access to the CFO’s mailbox can approve wire transfers, access board communications, intercept acquisition negotiations, and move laterally into the accounts of anyone who trusts emails from that address.
What AI has changed is the economics of the attack. A well-crafted spearphishing campaign targeting a specific executive previously required hours of open-source intelligence gathering, a writer with good English, and some technical setup. AI tools compress that to minutes. The same attacker can now run parallel campaigns against ten executive teams simultaneously, personalizing each one with context scraped from public sources, LinkedIn, press releases, and past public statements.
Carolinas businesses are not too small or too regional to be targeted by these campaigns. Charlotte is the second-largest banking center in the United States. The Research Triangle hosts a significant concentration of healthcare, biotech, and defense technology firms. Greenville, Raleigh, and Wilmington have growing mid-market sectors with executives who are publicly visible but whose organizations lack the security teams to defend against sophisticated attacks. That combination of visibility and limited security infrastructure is precisely what organized threat groups look for.
When an executive’s Microsoft 365 account is compromised, the downstream damage is not limited to the data in that mailbox. Modern Microsoft 365 tenants are deeply interconnected. An attacker in the CEO’s account can access SharePoint sites, Teams conversations, Planner tasks, and any Power BI reports shared with that account. They can also send email that every recipient assumes is authentic, which is how wire fraud and vendor payment redirection attacks proceed from a single compromised account.
The term matters because it is commonly misused. Phishing-resistant authentication means that the authentication method cannot be intercepted and replayed by an attacker who controls a malicious website or who intercepts the communication between the user and the authentication service.
Standard TOTP codes from an authenticator app are not phishing-resistant. If an attacker sends your executive to a lookalike login page that proxies the real Microsoft login, the attacker can capture the TOTP code in real time and use it before it expires. This is called an adversary-in-the-middle attack, and there are commodity toolkits that automate it.
Microsoft Authenticator push notifications are not phishing-resistant either, for the reasons described above: social engineering can cause a legitimate user to approve a notification they did not initiate.
Number matching and additional context in Microsoft Authenticator push notifications raise the bar significantly, and they are worth enabling. But they still fall short of true phishing-resistant authentication because the approval decision remains with a human who can be manipulated.
Phishing-resistant methods bind the authentication credential to a specific website or service and include a cryptographic proof that the origin is correct. If a phishing site captures the authentication attempt, it gets a credential that is cryptographically bound to the phishing site’s domain, not to Microsoft’s. The replay attempt against the real Microsoft login fails at the cryptographic layer before a human is ever involved.
Microsoft Entra ID, which manages identity for Microsoft 365, supports three categories of phishing-resistant authentication methods.
FIDO2 security keys are physical hardware devices, typically USB or NFC, that store a private key tied to a specific service registration. When a user authenticates, the key performs a cryptographic operation that includes the domain of the site being accessed. An attacker cannot replay the response against a different domain.
Common options include Yubico YubiKey and the Feitian range. These are compatible with Microsoft Entra ID and are the most broadly applicable option for executives because they work across devices, including shared workstations and devices the executive does not own.
The operational consideration: a lost or forgotten security key means the executive cannot authenticate until a recovery process is completed. For this reason, FIDO2 deployments for executives should include a registered backup key and a documented recovery workflow before rollout, not as an afterthought.
Microsoft Entra ID supports FIDO2 security keys as a passwordless authentication method. Combined with a conditional access policy that requires phishing-resistant strength, this means the executive can log in by inserting the key and touching it, with no password and no push notification. The authentication is fast and the security properties are strong.
Windows Hello for Business uses a hardware-backed credential stored in the Trusted Platform Module (TPM) of a Windows device. The credential is device-bound: it cannot be exported or used on any other device. Authentication uses biometrics (face or fingerprint) or a local PIN, both of which unlock the TPM-backed key. The cryptographic operation is phishing-resistant for the same reason FIDO2 is: the credential is bound to the service and the domain.
Windows Hello for Business is the right default phishing-resistant method for executives who primarily work on managed Windows devices. It adds no hardware cost (no physical key to purchase or forget), and the face recognition login is faster than typing a password and accepting a push notification.
The requirement is a properly configured Entra ID-joined or hybrid-joined device with TPM 2.0. Most business-class Windows hardware from 2019 onward meets this requirement. The configuration work is in Group Policy or Intune, depending on your device management setup.
Certificate-based authentication issues a digital certificate to the user that is stored on a smart card or a device’s certificate store. Authentication uses the private key of that certificate, which is phishing-resistant by the same cryptographic binding principle.
This is the most mature of the three options and the one with the broadest compatibility across non-Windows platforms. It is commonly used in government and defense contractor contexts where FIDO2 may not be approved or where PIV/CAC card compatibility is required. For most Carolinas mid-market businesses, certificate-based authentication is more complex to operate than FIDO2 or Windows Hello for Business and is worth considering only if there are specific regulatory or compatibility requirements.
Having phishing-resistant methods registered for your executives does nothing unless conditional access policies require their use. This is where most organizations get the implementation wrong.
Microsoft Entra ID supports authentication strength as a condition in conditional access policies. The built-in “Phishing-resistant MFA” authentication strength requires FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. When a policy requires this strength and a user tries to log in with a standard MFA push notification, they are blocked.
The correct implementation for executive protection:
Create a named group for executive accounts. Do not try to apply phishing-resistant requirements tenant-wide in the first deployment. Scope it to the executives who are the highest-risk targets. This gives you a controlled population to test the rollout and a clear boundary for exceptions.
Require phishing-resistant MFA strength for this group from all locations. Unlike some conditional access configurations that carve out trusted networks, phishing-resistant auth should be required regardless of where the executive is connecting from. An executive authenticating from a hotel Wi-Fi is not in a trusted environment even if the IP geolocation says United States.
Apply the policy to all cloud apps. The goal is to protect the entire Microsoft 365 tenant, not just Exchange Online. A policy scoped to specific apps leaves gaps.
Run the policy in report-only mode for two weeks before enforcement. This shows you which sign-in attempts would be blocked and which executives have not yet registered a phishing-resistant method. The report-only data is how you build your rollout checklist.
The practical threat picture in the Carolinas in 2026 has three dominant patterns for executive targeting.
AI voice impersonation of IT staff. An attacker calls the executive on a personal number, uses a cloned voice of a known IT contact, and explains that there has been a security incident requiring the executive to approve a verification request. The push notification arrives during the call. The executive approves it. This attack bypasses standard MFA entirely.
Against phishing-resistant authentication, this attack fails because the attacker cannot initiate a FIDO2 or Windows Hello challenge remotely. There is no push notification to approve. The authentication is local and physical.
Adversary-in-the-middle credential harvesting. An AI-crafted spearphishing email sends the executive to a convincing lookalike login page. The page proxies the real Microsoft login in real time, capturing credentials and TOTP codes. The attacker uses them immediately to authenticate as the executive.
Against phishing-resistant authentication, the FIDO2 or Windows Hello credential is bound to login.microsoftonline.com. The proxy page’s domain does not match. The cryptographic check fails and the authentication never completes.
AI-generated spearphishing for initial access combined with session token theft. Some sophisticated attacks target the authenticated session cookie rather than credentials directly, using browser-level malware to steal a post-authentication token. This threat is not addressed by phishing-resistant authentication alone. It requires endpoint detection and response capabilities, which is a separate but related conversation.
Charlotte financial services. The concentration of banking, insurance, and fintech operations in Charlotte means executive accounts at these firms are high-value targets for wire fraud and business email compromise. Regulatory pressure from OCC and state banking regulators is also increasing around identity assurance requirements. Phishing-resistant authentication aligned to NIST AAL3 provides a defensible position in regulatory conversations.
Healthcare across NC and SC. Healthcare organizations in Raleigh, Charlotte, Wilmington, and the Eastern NC corridor have executive accounts with access to protected health information. HIPAA security rule requirements for access controls are increasingly interpreted by OCR to require strong authentication for high-privilege accounts. A compromised CISO or CMO account that results in a breach is a significantly different HIPAA enforcement conversation than a compromised staff account.
Defense contractors in Eastern NC. Companies with CMMC requirements, especially Level 2 and Level 3, need to demonstrate phishing-resistant MFA for accounts with access to Controlled Unclassified Information. FIDO2 and Windows Hello for Business using Microsoft 365 GCC or GCC High satisfy this requirement for most CMMC practice areas.
Professional services and law firms in the Research Triangle. Attorneys and accountants hold client funds, privileged communications, and the kind of trust relationships that make business email compromise attacks effective. The North Carolina State Bar and the NC Department of Insurance have not yet mandated phishing-resistant authentication, but the liability exposure for a firm that suffers a breach of client funds and cannot demonstrate reasonable security controls is substantial.
A Carolinas mid-market business deploying phishing-resistant authentication for its executive team over four weeks:
Week 1: Inventory and method selection
Week 2: Method registration and testing
Week 3: Policy in report-only mode
Week 4: Enforcement and documentation
The rollout is not technically complex. The time investment is in the communication with executives, the physical key distribution, and the few edge cases like executives who primarily use iPhones or who travel frequently and forget hardware. Those edge cases are solvable and worth solving.
Cyber insurance carriers are increasingly asking about authentication methods in their questionnaires. The question is no longer just “do you use MFA” but “what MFA methods are deployed and for which accounts.” Some carriers are beginning to differentiate premiums based on whether phishing-resistant methods are in use for privileged accounts. That shift will accelerate as claims data continues to show that push-notification MFA is the authentication method present in a disproportionate share of business email compromise losses.
If your Carolinas business renews cyber insurance in the next 12 months, having phishing-resistant authentication deployed for your executive accounts is a materially better position than standard MFA alone, both for the questionnaire and for the coverage conversation if you ever need to make a claim.
The friction is real. Executives will need to carry a hardware key or use biometrics. There will be edge cases the first week. Some executives will push back.
The argument for proceeding anyway is also real. The alternative is leaving the accounts with the highest access and the most sensitive data protected by an authentication method that AI-powered social engineering can defeat with a phone call. The cost of a compromised executive account in 2026, measured in wire fraud, legal fees, regulatory exposure, and reputational damage, is not a theoretical number. Carolinas businesses have absorbed it.
The technology to prevent it is already included in Microsoft 365 Business Premium and E3. The hardware cost for FIDO2 keys is around $50 per key. The configuration work is measured in weeks, not months.
Devsoft Solutions helps businesses across North and South Carolina deploy phishing-resistant authentication for their Microsoft 365 environments. If your executive accounts are not yet protected with FIDO2 or Windows Hello for Business, get in touch and we can walk through the gap between your current setup and where it needs to be.
— Continue reading
AI is rewriting the rules of enterprise device management. Carolinas IT teams choosing between Microsoft Intune, Jamf, and VMware Workspace ONE need to understand what each AI layer actually does for Windows, Mac, and mobile fleets.
Achieving SOC 2 Type II used to mean months of manual evidence collection and expensive consultants. For Carolinas SaaS companies and technology businesses, AI-powered Microsoft 365 tools are compressing that timeline significantly. Here is what is actually working.
Deploying multi-factor authentication in Microsoft 365 is one of the highest-impact security moves a mid-market business can make. Done wrong, it breaks Outlook for a third of your users on day one. Here is how AI-powered authentication is transforming security in the Carolinas, and how to get the rollout right.
— Related services
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
Outsourced IT operations for businesses too small for a full team and too established for ad-hoc support. Microsoft-stack focused, SLA-backed.
