Key facts
- Organisation
- A Singapore manufacturer
- Threat
- Business Email Compromise via Adversary-in-the-Middle (AiTM) phishing
- Initial access
- A phishing lure sent from a trusted supplier's genuine email address; a fake login page captured the user's live session
- Impact
- Mailbox takeover; over 700 phishing emails sent to more than 600 business contacts; mailbox contents potentially exposed
- Core issue
- Audit logging was off and multi-factor authentication was not enforced, so the intrusion left almost no trail and the sign-in met no resistance
What this case shows
- Multi-factor authentication built on one-time codes or push approvals can be relayed in real time. It is not proof against session theft.
- A supplier's real, authenticated email is a credible delivery channel. The sender being genuine is precisely what makes the lure land.
- Without audit logging, an organisation cannot answer the one question that matters most after a mailbox breach: what did the attacker read?
If you suspect a mailbox has been compromised, Blackpanda's Emergency Incident Response and Compromise Assessment teams can establish what happened and what was exposed.
What this would have cost with Blackpanda IR-1 in place
| ODIR | IR-1 | |
|---|---|---|
| Type of engagement | On-demand incident response | Yearly subscription |
| Hours covered | 25 hours | Unlimited* |
| Pricing1 | USD $12,500 | USD $1,250 |
* Unlimited for one incident per year
1 Ad-hoc incident response pricing based on average market rates, from USD 500 per hour. Blackpanda IR-1 subscription pricing based on no. of endpoints, costing approx. 10x less than ad-hoc and retainer-based incident response. All figures are illustrative only, for guidance and marketing purposes and not to be relied upon by the reader. Actual incident response costs vary by scope, complexity, and provider.
CHALLENGE
The company runs its business on email. Quotes, purchase orders, and signed paperwork move between its staff and a standing roster of suppliers and customers every working day, and one manager's mailbox sat at the centre of that traffic. In April 2026 he received a Request for Quotation from a supplier he dealt with routinely. Nothing about it looked off. The message came from the supplier's real address, carried the usual RFQ pretext, and arrived over the supplier's genuine mail path, so it passed every automated check the company had. He opened the attached PDF and clicked the link inside.
The link routed his browser through a bland landing page and on to a counterfeit Microsoft sign-in. He entered his credentials as he would on any other morning. Behind that page sat an Adversary-in-the-Middle (AiTM) phishing platform that passed his login to Microsoft in real time and pocketed the authenticated session Microsoft handed back. Because the attacker rode a session the user had already completed, multi-factor authentication never came into play. There was no second prompt to fail, no password to steal — just a live session, lifted mid-stride.
For a week the mailbox behaved normally. Then, one morning, over roughly fifteen minutes, it sent more than 700 phishing emails to over 600 of the manager's business contacts, each carrying the same style of lure that had caught him. The firm did not detect the breach through any alert or log. It found out when the replies started — contacts writing back to ask whether the strange RFQ was really from them.
SOLUTION
1. Rebuild the intrusion without the logs that should have existed
The tenant ran a licence tier with audit logging switched off by default, and it had never been turned on, so the detailed record of account activity simply did not exist for the incident window. Blackpanda reconstructed the attack from what remained — endpoint forensics on the manager's devices, mail-flow records, recovered mailbox content, and the sign-in data still within retention — and cross-checked each thread against the others to establish a defensible timeline.
2. Separate the attacker's hands from the user's
Mail-flow analysis showed that every phishing message left the mailbox from a single anonymising overseas VPN address the account had never used before, while the manager's own mail had only ever originated from local consumer networks. That contrast let Blackpanda draw a clean line between legitimate activity and the attacker's, and confirm that the outbound campaign was the intruder's work, sent in the manager's name.
3. Contain the account takeover properly, not partially
A stolen session token outlives a password change, which is the trap most victims fall into. Closing the account takeover meant revoking every active session and refresh token, then resetting the password and re-registering the second factor. Blackpanda also had the company block the attacker's infrastructure at the mail gateway and the web and DNS layers, and verify that no forwarding rule or rogue sign-in method had been left behind.
4. Prove the scope, rather than assume it
Blackpanda ran a tenant-wide check to confirm the compromise stopped at one mailbox, examined both of the manager's endpoints for malware or remote-access tooling, and reviewed the mailbox's current configuration for any lingering foothold. Each check came back clean, which let the firm bound the incident with evidence instead of hope.
RESULTS
1. Root cause established.
The breach traced to a session-token theft carried out through an AiTM phishing lure, delivered inside a trusted supplier's genuine email.
2. Scope bounded to a single mailbox.
No other account sent phishing mail, no data-exfiltration channel existed, and both endpoints were free of malware — a cloud-identity compromise run entirely through the browser.
3. No payment fraud found, but exposure could not be ruled out.
The company's banking during the period was legitimate and unredirected; still, with the attacker holding read access and no audit trail, the risk of later invoice or payment fraud against the firm or its counterparties could not be excluded.
4. A permanent blind spot named.
Because logging had been disabled, the exact set of emails and attachments the attacker read while inside could never be reconstructed — a gap the company now has to treat as potential exposure.
What decides whether an incident like this closes cleanly or trails off into open questions is usually set long before the lure arrives. Logging that is switched on, a second factor that a proxy cannot relay, and a habit of verifying payment changes by a channel other than email would each have narrowed this attack — some by shrinking the damage, one by ensuring the firm could at least see what had happened. The controls are ordinary. Their absence is what turns a contained breach into an unanswerable one.
FREQUENTLY ASKED QUESTIONS
1. What is an Adversary-in-the-Middle attack?
It is a phishing technique that puts the attacker's infrastructure between the user and the real login page. When the victim signs in, the attacker relays those credentials to the genuine service in real time and captures the resulting session, which lets them into the account as the user. Nothing has to be cracked or guessed; the login is simply intercepted as it happens.
2. The company had multi-factor authentication. How did the attacker get past it?
Because the attacker captured the session after the user had already completed the genuine sign-in, including any second-factor prompt. One-time codes and push approvals verify the login, but they do not protect the session token that gets issued once the login succeeds. Steal that token and you inherit the logged-in state without needing to authenticate again.
3. Why couldn't Blackpanda say exactly what the attacker accessed?
The company's licence tier does not enable detailed audit logging by default, and it had not been switched on, so no record existed of which messages or files were opened during the compromise. Investigators could confirm the takeover and the outbound campaign from other evidence, but the attacker's read activity left no trail. That is why the mailbox contents from the period have to be treated as potentially exposed.
4. The email came from a real supplier. Was the supplier compromised too?
The lure arrived from the supplier's genuine address over its legitimate mail path, which is what let it pass inspection. Whether that upstream mailbox was itself breached could not be confirmed from the evidence available on the victim's side. Either way, the case shows why a message being “from someone you trust” is not a reason to trust the message.
5. What actually stops this from happening to us?
Phishing-resistant multi-factor authentication — security keys, passkeys, or device-bound sign-in — closes the specific gap here, because a proxy cannot relay it. Pair it with conditional-access rules, audit logging switched on, and a firm habit of verifying any payment or bank-detail change through a separate channel. Blackpanda has investigated this same playbook elsewhere; see how a near-identical attack unfolded at a media company.
6. We think a mailbox may already be compromised. What comes first?
Revoke the account's active sessions and refresh tokens before anything else — a password reset alone will not evict an attacker holding a live token. Then preserve what evidence you have and bring in incident response early, because the first hours decide how much of the picture is still recoverable.
WHAT THIS MEANS FOR YOUR ORGANISATION
The uncomfortable part of this case is how little went wrong on the victim's side in the ordinary sense. No one reused a weak password or ignored a warning. A trusted supplier sent what looked like routine paperwork, a manager signed in, and the security control the company was relying on did exactly what it was built to do — verify a login — while the attacker took something it was never built to protect. As trusted-supplier lures and session theft become the common shape of business email compromise, the defences that matter shift from “is MFA on” to “is our MFA the kind a proxy can't relay, and can we see what happens after someone signs in”.
The second lesson is quieter and, for a leadership team, more consequential. When logging is off, an organisation loses not just detection but the ability to answer for itself afterward — to counterparties, insurers, and regulators — what was and was not exposed. Turning it on costs almost nothing; discovering its absence mid-incident costs a great deal. A Compromise Assessment can establish whether an attacker is already in your environment and whether you would even know, before an incident forces the question.
ABOUT BLACKPANDA
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.






