CHALLENGE
The phishing emails that reached this organisation in March 2026 were not obviously suspicious. Formatted as standard Microsoft SharePoint document-sharing notifications — the kind of email any employee in a project-driven business receives routinely — they arrived from real accounts at known business contacts: in the first wave, a company with an existing working relationship with the firm; in the second, a trade association of which the organisation was a registered contractor member. Both sender accounts had been compromised beforehand. Both emails passed every standard authentication check.
Eight employees clicked. The links routed through legitimate SharePoint sites before redirecting to attacker-controlled pages that mimicked Microsoft's sign-in screen. Employees entered their credentials and completed multi-factor authentication (MFA) — and the attackers bypassed it entirely. The fake sign-in pages acted as invisible relays, passing authentication through to Microsoft in real time while capturing the resulting session token: the digital credential that tells Microsoft a user is already logged in. The attacker replayed that token from infrastructure overseas and walked straight in. It is the same adversary-in-the-middle technique that has appeared with increasing frequency across Microsoft 365 environments in the region.
By the time the organisation's IT team identified the intrusion and reset passwords, the most heavily compromised account had been accessible for approximately seven days. During that window, the threat actor read through almost 2000 emails, collected attachments from payment invoices and project correspondence, and created a hidden inbox rule to move incoming alerts out of the account holder's visible inbox — suppressing any chance of early discovery from within.
SOLUTION
1. Scoping the compromise
Blackpanda reviewed over 10 flagged accounts using Microsoft 365 audit logs, sign-in records, and endpoint browsing history. Approximately two-thirds were confirmed compromised; the remaining were confirmed clean. The investigation established that two distinct phishing campaigns — separated by roughly five days, with no shared infrastructure or victim overlap — had each used the same AiTM technique. Among the accounts cleared, one showed US-geolocated sign-ins that traced to in-flight Wi-Fi during a work trip, and another showed dozens of failed login attempts from international IP addresses over several weeks — an unrelated credential-stuffing campaign triggered by credentials leaked on a third-party procurement platform, with no connection to either phishing incident.
2. Mapping what was accessed and what was planted
On the most heavily targeted account, Blackpanda documented every mailbox folder accessed, every attachment opened, and every action the threat actor took across the seven-day window — including the creation of a hidden inbox rule that suppressed incoming mail and the deletion of four emails, among them a message flagging the security incident itself. Two further accounts in the second campaign showed sustained mailbox access: one with around 200 items accessed across project-related folders; a second with around 600 items accessed, with concentrated activity in a folder containing bank correspondence — a finding that required urgent action independent of the broader investigation.
3. Assessing fraud risk and delivering hardening recommendations
The threat actor's focus on payment invoices and project correspondence raised the question of downstream fraud. Blackpanda's review of outbound email logs found no messages sent by the attacker from the compromised accounts — a meaningful finding, though not a clean bill of health, since stolen mailbox content can support payment fraud through channels that leave no trace in Microsoft 365 audit data. The organisation was advised to treat exposed financial correspondence as potentially in attacker hands. Blackpanda then delivered prioritised recommendations covering phishing-resistant MFA, Conditional Access token-binding, real-time alerting on inbox rule creation, and a regular audit cadence for delegated access and mail-forwarding rules across the tenant.
RESULTS
1. Full scope confirmed across 13 accounts. Eight accounts confirmed compromised, five confirmed clean — giving the organisation a complete, evidenced picture of the incident's boundaries.
2. Seven days of attacker activity reconstructed. Blackpanda mapped every folder accessed, every attachment opened, and every action taken during the access window, including the hidden inbox rule and four deleted emails — producing the full forensic record needed for internal review and regulatory notification.
3. BEC risk assessed and bounded. Exposed financial correspondence was identified and documented. The organisation could take targeted action on banking credentials and pending payment instructions rather than an open-ended speculative review.
4. A second hidden risk surfaced. An account outside the phishing incidents was found to be under active credential-stuffing attack, driven by credentials leaked on a third-party procurement platform. Blackpanda identified the source and provided specific remediation guidance.
5. Structural gaps identified and corrected. One compromised account had generated zero audit log entries during the incident window — a misconfiguration that would have made a more serious attack nearly impossible to investigate. Correcting it, alongside the other hardening measures delivered, materially strengthened the organisation's detection capability going forward.
The pattern here recurs across organisations of every size: a phishing email arrives via a trusted contact, clears every technical filter, and gets clicked. The failure is architectural. Standard MFA, without token-binding or phishing-resistant authentication, creates a gap that AiTM attacks are specifically designed to exploit — and most organisations carrying that gap will not discover it until it is tested.
FAQ
1. What is an AiTM phishing attack, and why does it defeat standard MFA?
An Adversary-in-the-Middle (AiTM) attack places a fake sign-in page between the victim and the real service. When an employee enters credentials and completes MFA, the fake page passes everything through to Microsoft in real time, then captures the authenticated session cookie that Microsoft issues in return. With that cookie, an attacker accesses the account from anywhere — no password or MFA code required. Standard push-notification and one-time-password MFA controls do not prevent this because the attacker steals the result of authentication after it has already succeeded. Phishing-resistant methods such as FIDO2 hardware security keys block the technique by binding authentication cryptographically to the originating device and domain. For a detailed account of AiTM used against a Microsoft 365 environment in Singapore, see this case involving a Singapore IT services firm.
2. How did the phishing emails appear so convincing?
Both emails arrived from real accounts at known business contacts that had been compromised beforehand and were used to send phishing notifications through Microsoft 365's own SharePoint sharing pipeline. Because they originated from legitimate Microsoft infrastructure, they passed SPF, DKIM, and DMARC authentication checks — the standard protocols most organisations rely on to filter suspicious mail. The embedded link also pointed initially to a legitimate SharePoint site before redirecting to the attacker's credential-harvest page, meaning URL-scanning controls often cleared the first hop without flagging the destination. This pattern of using trusted senders and legitimate infrastructure as a delivery vehicle is now a defining characteristic of sophisticated phishing operations.
3. What is business email compromise, and was the organisation at risk?
Business email compromise (BEC) is fraud in which attackers use access to a compromised email account to redirect payments or manipulate financial transactions. Here, the threat actor accessed payment invoices and project correspondence, raising the question of whether that content had been used to stage downstream fraud. Blackpanda found no outbound fraud emails in the available logs — but stolen email content can enable fraud through channels that leave no trace in Microsoft 365 records. The organisation was advised to treat exposed financial correspondence as potentially in attacker hands and to review pending payment instructions. The FBI's Internet Crime Complaint Center maintains current guidance on BEC risk and reporting. For a case where mailbox access was used to manipulate financial correspondence and issue fraudulent invoices, see Blackpanda's investigation of a South Asian sustainability platform.
4. How did the attacker conceal their presence for nearly a week?
Shortly after gaining access, the threat actor created a hidden inbox rule with a generic, unremarkable name. It automatically moved incoming mail to an obscure folder, marked every message as read, and suppressed further processing — so incoming security alerts, IT team notifications, and operational messages all disappeared from the account holder's visible inbox without trace. Inbox rule manipulation is a documented persistence technique in Microsoft 365 compromise cases; Microsoft's guidance on responding to compromised accounts specifically calls it out as a mechanism to audit and remove during incident response. A similar pattern of hidden mailbox manipulation extending attacker dwell time appeared in Blackpanda's investigation of a Hong Kong business association compromise.
5. Why didn't MFA stop this attack?
MFA did not fail — it worked exactly as designed. The problem is that common MFA methods authenticate the user but do not bind the resulting session to the device or location that completed the authentication. Once an employee proves their identity, Microsoft issues a session cookie that permits continued access. In an AiTM attack, the fake sign-in page captures that cookie the moment Microsoft issues it, then replays it from attacker infrastructure. Microsoft cannot distinguish the legitimate session from the replayed one. The fix is not more MFA prompts but a different class of authentication: FIDO2 hardware keys and certificate-based methods bind the cryptographic challenge to the originating device and domain, so a stolen token cannot be replayed elsewhere.
6. What should an organisation do immediately if it suspects an AiTM phishing attack?
Three priorities, in order. First, containment: revoke all active sessions and tokens for affected accounts and reset passwords — password reset alone does not invalidate active tokens, so explicit revocation is essential. Second, scope: review sign-in logs for foreign-geography access, identify every account that received or clicked the phishing link, and audit inbox rules across the tenant. Third, impact: determine what correspondence was accessed, whether financial communications were exposed, and whether downstream fraud risk needs to be addressed. CISA's phishing guidance provides an authoritative overview of the response steps involved. If your organisation needs emergency incident response, Blackpanda's team is reachable via the incident response form.
What This Means For Your Organisation
Most organisations that have deployed MFA consider the account-takeover problem largely resolved. The AiTM technique used in this case shows why that confidence is misplaced. The attackers never stole a password. They positioned themselves silently between the employee and Microsoft during a legitimate authentication, captured the session token that resulted, and replayed it from elsewhere. No additional MFA prompt fired. The standard control worked as designed and delivered no protection.
The fixes are concrete: phishing-resistant MFA, Conditional Access token-binding, and real-time alerting on inbox rule creation would each have materially shortened the attacker's window — or closed it entirely. If your organisation runs Microsoft 365 and has not reviewed these settings, the gap is almost certainly present. Incident Response Preparation includes guidance on exactly these configurations, so that when the next phishing email lands, the architecture beneath it is already hardened.
Worried your Microsoft 365 environment has the same gap?
A Compromise Assessment surfaces hidden risks before the next phishing email lands.
Explore Compromise Assessment →
About Blackpanda
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
