Key facts
- Organisation
- Philippine industrial manufacturing firm
- Threat
- Adversary-in-the-Middle (AiTM) phishing through a compromised trusted partner, leading to mailbox takeover and an outbound phishing wave
- Initial access
- A phishing email sent from a genuine partner’s mailbox, hijacked upstream, that passed every sender-authentication check
- Impact
- A live login session stolen despite MFA; more than 12,000 mailbox items accessed; nearly 500 phishing emails fired at the firm’s own contacts
- Core issue
- Approving an MFA prompt could not stop real-time session theft, and nothing bound the session to a trusted device
What this case shows
- A passing authentication check proves which server sent a message, not whether the human behind it is honest. A trusted partner’s mailbox can become the weapon.
- Approving an MFA prompt is not the same as being safe. Attackers can relay an entire login as it happens and ride the session that comes out the other side.
- A cloud mailbox can be ransacked while the laptop stays spotless, so endpoint security sees nothing.
Worried someone is already reading your mail? Begin with a Compromise Assessment, or call in Emergency Incident Response.
What this would have cost with Blackpanda IR-1 in place
| ODIR | IR-1 | |
|---|---|---|
| Type of engagement | On-demand incident response | Yearly subscription |
| Hours covered | 20 hours | Unlimited* |
| Pricing1 | USD $10,000 | USD $1,000 |
* Unlimited for one incident per year
1 Ad-hoc incident response pricing based on average market rates, from USD 500 per hour. Blackpanda IR-1 subscription pricing based on no. of endpoints, costing approx. 10x less than ad-hoc and retainer-based incident response. All figures are illustrative only, for guidance and marketing purposes and not to be relied upon by the reader. Actual incident response costs vary by scope, complexity, and provider.
CHALLENGE
In March 2026, an industrial manufacturer in the Philippines received what looked like ordinary workflow noise: a notice that a contact at one of its overseas customers had added an employee to a shared project. The sender was real, the customer was real. The message cleared every authentication check a mail system performs, because it had genuinely been sent from a mailbox the company had traded emails with for years.
But that mailbox no longer answered to the customer. Someone had taken it over quietly, upstream, and was now using a legitimate business relationship as a delivery route. When the employee clicked through and entered her password, the login page was a forgery wired to pass each keystroke to Microsoft as she typed. The multi-factor prompt that followed felt routine, so she approved it.
She was approving the attacker’s sign-in, not her own.
The intrusion barely left a mark, which is what made it dangerous. Her laptop stayed clean: no malware, no downloads, nothing an endpoint scanner would flag. The whole theft lived in the cloud, in the form of a single valid session token lifted mid-login and replayed from elsewhere.
The firm only realised something was wrong when nearly 500 phishing emails went out to their own contacts.
SOLUTION
The firm did not hold an incident response subscription, so it engaged Blackpanda on demand to reconstruct exactly what the attacker had touched, how far the exposure ran, and what needed closing.
1. Pin down the entry point
Blackpanda started with the email itself and the browsing record on the affected laptop. Second-by-second, the trail showed the employee opening the message, following the link, and submitting her credentials on a counterfeit login page moments before the attacker’s first successful sign-in. The review also surfaced a second attacker-controlled domain that the company had no reason to know about.
2. Rebuild the attacker’s movements from the audit trail
Cloud activity leaves a record even when a laptop does not. Working through the tenant’s audit logs, Blackpanda traced the stolen session as it resumed from several locations across Europe, all tied to one session identifier, and separated the genuine sign-in noise from the operational account doing the real work through a back-end interface.
3. Measure the true exposure, item by item
Rather than estimate what the attacker might have seen, Blackpanda counted it. Because the attacker pulled messages individually rather than syncing folders wholesale, each retrieval was logged, which let the team establish precisely how many items were opened and where the attacker’s attention concentrated.
4. Confirm nothing was left behind
The company had already revoked sessions and reset the password by the time Blackpanda arrived. Blackpanda swept the tenant for every common foothold an attacker plants to regain entry, then confirmed which controls had genuinely closed the door and which gaps still needed attention.
RESULTS
1. A trusted-counterparty compromise, not a careless click
The way in was a real customer’s hijacked mailbox. Standard checks waved the email through precisely because it was authentic, which is what made the lure so convincing to a careful employee.
2. A live session that walked past MFA
The attacker never needed the password after the fact. By relaying the login in real time and capturing the resulting session token, they sidestepped the multi-factor protection the company believed was holding the line.
3. More than 12,000 messages read, the mailbox mined for its relationships
Over 90% of the items the attacker opened came from the Sent folder, a deliberate harvest of contacts, deal threads, and the employee’s own writing style, all of it raw material for the impersonation that followed.
4. Nearly 500 phishing emails sent to the firm’s own contacts, then erased in real time
Using the hijacked mailbox, the attacker pushed the same lure out to customers and partners across dozens of domains, deleting each copy within seconds of sending so the employee would never see them in her Sent folder. Recovering the full picture took nearly 3,000 reconstructed mailbox operations.
5. No lasting foothold, and a clean containment
Blackpanda confirmed the attacker planted no hidden forwarding rules, no rogue access grants, and made no move to other mailboxes. The company’s quick revocation and password reset had genuinely closed the intrusion.
The pattern underneath this case is the part worth acting on. An attacker who owns one trusted mailbox can reach every organisation that mailbox corresponds with, and the closer the relationship, the more readily the lure is believed. Treating a supplier or customer’s compromise as their problem alone misreads how these waves spread.
FREQUENTLY ASKED QUESTIONS
1. How did a phishing email get past our spam filters and authentication checks?
Because it was not spoofed. The message came from a real, properly configured mailbox that an attacker had already taken over at the sender’s end, so it passed the standard checks that confirm a message genuinely came from its domain. Those checks verify the sending server, not the honesty of the person operating it. This is why a clean authentication result should never, on its own, settle whether an unusual request is legitimate.
2. We use multi-factor authentication. How did the attacker get in anyway?
This was an Adversary-in-the-Middle attack, the same technique seen in our BEC and AiTM case at a Singapore IT services firm. The fake login page sat between the employee and Microsoft, relaying her password and her MFA approval in real time, then captured the session token issued at the end. With a valid session in hand, the attacker no longer needed the password or a second prompt. Phishing-resistant methods such as FIDO2 security keys close this gap, because they tie the login to the actual device and cannot be relayed.
3. If the laptop was clean, how do you know what the attacker accessed?
Cloud mailboxes keep a detailed activity record independent of any device. In this case the attacker retrieved messages one at a time rather than syncing whole folders, and every individual retrieval was logged. That let Blackpanda count the exposure exactly rather than estimate it, and confirm that no attachments or stored files were downloaded.
4. A supplier or customer’s email account was hacked. Is that really our problem?
Yes, and treating it otherwise is how these incidents spread. A compromised partner mailbox is a trusted channel straight into your business, as our lookalike-domain impersonation case at a Hong Kong precision manufacturing firm showed from the receiving end. When you learn a counterparty is compromised, verify any recent unusual requests out of band, preserve the suspect emails, and check your own inbound history from that contact during the affected window.
5. How can we stop this from happening to us?
Move privileged and customer-facing staff to phishing-resistant MFA, switch on conditional access rules that flag impossible travel and bind sessions to known devices, and forward your mail and sign-in logs somewhere they can be monitored and retained. Just as important, train people to verify unusual requests out of band even when the email checks out, and rehearse a mailbox-compromise response before you need it.
6. Was any customer or company data actually stolen?
The attacker’s clear priority was the contact lists and email threads needed to impersonate the employee convincingly, not bulk data theft. Blackpanda found no evidence of attachment downloads or file exfiltration. That said, every message the attacker opened should be treated as read, which is the conservative posture any breach assessment should take.
WHAT THIS MEANS FOR YOUR ORGANISATION
The defences most organisations trust to stop email attacks, authentication checks and a multi-factor prompt, were both present here and both bypassed, not because they failed but because the attacker chose a method built to go around them. Trusted-counterparty compromise married to real-time session theft is now a common shape for these intrusions, and it rewards the careful employee’s instinct to trust a familiar sender. The practical response is not more suspicion of strangers but stronger structural controls: phishing-resistant MFA for the people most worth targeting, sessions bound to known devices, and the habit of verifying unusual asks through a second channel.
It also pays to question the assumption that a contained incident is a closed one. The obvious damage here, the outbound phishing wave, was visible within hours; the quieter exposure, a full harvest of the mailbox’s relationships, would have gone unnoticed without a deliberate reconstruction. A focused Compromise Assessment answers the question that lingers after any email incident, namely what an intruder was actually doing while inside, and an IR-1 subscription puts that response on call before the next one lands.
ABOUT BLACKPANDA
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
