Insights

A UK-based organisation faced a fast-moving Adversary in the Middle (AiTM) phishing attack that resulted in an account compromise and unauthorised access to sensitive cloud files. Despite the customer lacking advanced identity protection licensing, which limited early warning capabilities, the Chorus Cyber Security Operations Centre (CSOC) identified the breach quickly through custom analytics and threat intelligence detections. Swift intervention prevented deeper escalation and safeguarded the wider environment.

The phishing hook

The incident began when an employee received an email appearing to share a routine business document. The user clicked the link, unaware that it redirected to a phishing page designed to harvest credentials and session authentication tokens.

Because the organisation did not have Entra ID P2 licensing, Microsoft’s identity-based risk alerts were not available. Instead, early detection relied completely on the Chorus CSOC’s custom Microsoft Sentinel rules, especially rules monitoring unusual user agents enriched with proprietary threat intelligence.

Within minutes, these analytics detected a suspicious sign in request originating from a US-based IP address and using the “Axios” user agent – a known indicator used in several modern AiTM proxy frameworks. This was the first sign that something was wrong.

A Rapid Attack Chain

Once the user entered credentials into the phishing page, the attacker wasted no time. Using the stolen session token, they authenticated into the environment within a minute of the user’s interaction.

Only six minutes after their first successful login, the attacker accessed the user’s SharePoint files. Here, they located a browser password export file containing multiple plaintext credentials: one of the most unusual and high-risk aspects of this case. Unlike many AiTM incidents that focus on email manipulation or business email compromise, the attacker in this instance immediately pivoted to stored credentials, potentially enabling future breaches beyond the initial account.

Simultaneously, they attempted to hide their presence by creating and modifying mailbox rules that moved emails containing terms like “phishing” or “hack” to an obscure folder. They also initiated a Microsoft Teams session, suggesting an attempt to explore internal communications, although no message access was confirmed.

The CSOC Response

When analytics flagged the suspicious sign in pattern, the Chorus CSOC acted decisively:

• All active sessions were revoked to invalidate the stolen token
• The compromised account was disabled, blocking the attacker from re-entry
• A password reset was enforced, ensuring no reused or stolen credentials could be exploited

A complete post-incident review confirmed no new MFA methods had been added, and no external data sharing had occurred. The accessed password file remained the highest risk element, underscoring the importance of secure password management practices. To minimise the risk from this attack, Chorus Cyber advised the customer to rotate all passwords in the exfiltrated password file as soon as possible.

Outcome and lessons learned

The organisation experienced no lateral movement, no data exfiltration beyond the accessed credentials file, and no sustained compromise. Thanks to rapid CSOC intervention supported by custom threat intelligence analytics, the incident was contained in under an hour. If the customer had not had a SOC service in place to identify and block the threat then the damage and impact of the breach would have been much more severe. Most likely the attacker would have used the stolen passwords to breach further systems – potentially leading to data disclosure, loss of customer trust, damaged company reputation, regulatory and compliance issues and the need for further incident response (IR) investigation.

Luckily, with a SOC in place, the customer faced minimal data loss and disruption – with only the affected user without account access for a very short period.

Following the incident, a full incident report was created for the customer with key recommendations to further strengthen their posture and mitigate future risk. These recommendations included:

• Upgrading to Entra ID P2 for real-time identity risk detection
• Implementing phish-resistant authentication, such as passkeys
• Requiring compliant or registered devices for all access
• Strengthening conditional access policies, including blocking suspicious users

https://www.choruscyber.com/wp-admin/post-new.php?post_type=resources#

• Eliminating plaintext password storage across the organisation and implementing a secure password manager

This incident showcases how determined attackers exploit even smallest security gaps. However, expert security monitoring combined with rapid and coordinated response can greatly reduce the impact of any incident to reduce cyber risk.