Key facts
- Organisation
- Philippine construction firm
- Threat
- Adversary-in-the-middle (AiTM) account takeover, used to launch an outbound phishing campaign
- Initial access
- A phishing email from a compromised partner contact led to a fake Microsoft sign-in page that captured a live, post-MFA session token
- Impact
- Three accounts compromised; roughly three-week dwell; nearly 400 phishing emails to around 400 partners across nearly 100 organisations, sent from the firm's own infrastructure
- Core issue
- Standard MFA cannot protect a session that has already been stolen; sign-in was never restricted to known devices or locations
What this case shows
- MFA approves the login, but it cannot protect a session that has already been stolen and replayed.
- A trusted-partner email is the most effective lure, because it arrives inside an existing relationship.
- A compromised mailbox is not only a data-exposure problem; it becomes a trusted platform for attacking everyone the victim does business with.
If you suspect a mailbox has been compromised, a Compromise Assessment surfaces attacker activity others miss, and Emergency Incident Response contains it fast.
What this would have cost with Blackpanda IR-1 in place
| ODIR | IR-1 | |
|---|---|---|
| Type of engagement | On-demand incident response | Yearly subscription |
| Hours covered | 35 hours | Unlimited* |
| Pricing1 | USD $17,500 | USD $1,750 |
* Unlimited for one incident per year
1 Ad-hoc incident response pricing based on average market rates, from USD 500 per hour. Blackpanda IR-1 subscription pricing based on no. of endpoints, costing approx. 10x less than ad-hoc and retainer-based incident response. All figures are illustrative only, for guidance and marketing purposes and not to be relied upon by the reader. Actual incident response costs vary by scope, complexity, and provider.
CHALLENGE
A construction firm in the Philippines ran its business the way most modern firms do, with email and document-sharing sitting at the centre of every project, tender, and vendor relationship.
In March 2026, one of its project staff received what looked like an ordinary file-sharing notification from a contact at an industry association she dealt with often, except the message was anything but ordinary. The contact's own account had already been taken over, and the link inside led to a counterfeit sign-in page built to steal credentials in real time — an adversary-in-the-middle (AiTM) attack, in which a fake page sits invisibly between the user and the real service.
She entered her password and approved the multi-factor prompt, exactly as she would on any normal day. Within seconds, the fake page relayed everything to Microsoft and captured the live session the firm's systems handed back. The attacker now held a valid, already-authenticated pass into her mailbox, and they began using it from cloud infrastructure on the other side of the world.
What the firm did not know was how long that pass would stay useful, or how much it would lay bare. For about three weeks the intruder read through the mailbox by hand, folder by folder, sitting quietly inside correspondence that spanned live projects, vendor invoices, and regulatory submissions.
The firm only realised something was wrong when hundreds of outbound messages began leaving a single staff account in one morning. By then, the mailbox had already been turned into a weapon.
SOLUTION
1. Reconstruct the intrusion from the evidence that remained
The original phishing email had been deleted before anyone called for help, so the obvious starting point was gone. Working from browser history on the employee's laptop and the cloud sign-in records, Blackpanda rebuilt the entire path — from the first click, through the redirect chain, to the moment the attacker logged in with the stolen session token. The paired sign-in events left in the logs were the forensic signature that confirmed how the second factor had been sidestepped.
2. Map the full scope of the dwell
The team charted every sign-in address, every folder opened, and every file touched across the three weeks. Around 400 external business partners across nearly 100 organisations had their contact details exposed, alongside vendor invoices and project documentation. Establishing that scope told the firm precisely who needed to be warned.
3. Trace the outbound campaign and the cover-up
Blackpanda documented the hidden inbox rule that quietly diverted the campaign's replies, the two lure pages planted on the firm's own project sites, and the personalised links that pushed nearly 400 phishing emails out in nine minutes. The investigation also recovered the purge that erased the sent copies barely three minutes later.
4. Contain, then close the door for good
The immediate actions were to revoke active sessions and reset credentials on all three compromised accounts, remove the malicious rule and lure pages, and revoke every share link. The lasting fix is structural — phishing-resistant authentication, session tokens bound to a managed device, and sign-in restricted to known company locations.
RESULTS
1. The full attack chain, reconstructed without the original evidence
Despite the deletion of the first phishing email, the investigation established the complete sequence, from initial click to final purge.
2. Three compromised accounts identified
Beyond the mailbox that launched the campaign, two further staff accounts were found compromised by the same infrastructure and flagged for priority review.
3. A complete notification list
Around 400 downstream recipients across nearly 100 organisations were identified, so the firm could warn every exposed partner, starting with critical infrastructure operators.
4. A clear root cause
The breach worked because multi-factor authentication verifies a login but cannot protect a session that has already been captured and replayed from another device.
Securing the environment against three weeks of unauthorised access did not require complex tools. The attacker operated entirely from foreign cloud infrastructure, so a policy restricting sign-in to known company devices and locations would have blocked every one of those sessions outright. The core lesson precedes the breach itself: operate under the assumption that credentials will inevitably be phished, and engineer the environment so that a compromised login carries minimal utility.
FREQUENTLY ASKED QUESTIONS
1. How did the attacker get past multi-factor authentication?
They did not break it; they went around it. By relaying the login through a fake page in real time, the attacker captured the session token the system issues after a successful multi-factor check. That token proves you are already signed in, so once it was stolen, no further password or prompt was required. This is why the U.S. Cybersecurity and Infrastructure Security Agency recommends phishing-resistant MFA, such as FIDO security keys, which cannot be relayed this way.
2. Why were the phishing emails so convincing to recipients?
They came from a real employee's real account, sent through the company's genuine document-sharing infrastructure. That meant they passed the standard email authentication checks and landed inside established business relationships. A message from a known contact at a firm you already work with rarely triggers suspicion.
3. What information was exposed?
The attacker spent about three weeks reading the mailbox by hand, opening over 500 messages across more than 15 folders. Exposed material included the contact details of around 400 business partners, vendor invoices and purchase orders, and documentation tied to major projects. The exposure was wide because the intruder browsed selectively rather than bulk-downloading, choosing what to read.
4. Has this kind of attack hit other firms in the region?
Yes. The same adversary-in-the-middle technique has driven incidents across very different sectors — see, for instance, Blackpanda's investigation of a comparable AiTM compromise at a Singapore construction firm. The pattern holds: a trusted email, a fake login, a stolen session.
5. Could this have been prevented?
Largely, yes. Phishing-resistant authentication would have stopped the session theft at its source, and conditional-access rules limiting sign-in to known devices and locations would have blocked the foreign logins outright. Neither control is costly set against an investigation and a mass partner notification.
6. What should a company do first if it suspects a mailbox is compromised?
Revoke active sessions and reset the password immediately, then preserve the logs before anything is deleted. Early containment limits both the data exposure and the chance the account is used to attack others. Bringing in incident response quickly turns a guess into a confirmed timeline.
WHAT THIS MEANS FOR YOUR ORGANISATION
This case is not really about construction, and it is not really about email. It is about a class of attack that has quietly made standard multi-factor authentication insufficient on its own. Attackers are no longer breaking in; they are logging in, with sessions relayed straight out of a convincing fake page. Any organisation whose people sign into cloud services through a browser is exposed to the same technique, whatever its sector or size.
Two moves shift the odds. Adopting phishing-resistant authentication removes the very thing these attacks depend on, and binding sessions to managed devices makes a stolen token close to worthless. For organisations that want to know whether an intruder is already inside before a campaign gives it away, a Compromise Assessment is the practical next step.
ABOUT BLACKPANDA
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
