Key facts
- Organisation
- A Singapore media firm
- Threat
- Business Email Compromise (BEC) via Adversary-in-the-Middle (AiTM) phishing
- Initial access
- A phishing link inside a document shared from a trusted partner's compromised account
- Impact
- Almost SGD 2 million in attempted fraudulent transfers, all stopped by the bank; more than 1,700 phishing emails sent from the firm's own system; finance mailbox flooded to bury alerts
- Core issue
- A relayed login defeated multi-factor authentication, and thin monitoring let the attacker persist for more than five weeks
What this case shows
- Multi-factor authentication is not a wall. A phishing proxy can relay the login and the code in real time, then ride the stolen session for weeks.
- The most convincing lure is a genuine document from a genuine contact. A compromised partner, assumed as a safe sender, becomes an attack path.
- An attacker holding admin rights can start pointing your own email system at all your customers and partners.
- The footholds left behind after the first cleanup are often the greater danger.
Wondering what an intruder could already be doing inside your email? Begin with a Compromise Assessment or subscribe to Blackpanda IR-1 to have incident responders on standby.
What this would have cost without Blackpanda IR-1 in place
| ODIR | IR-1 | |
|---|---|---|
| Type of engagement | On-demand incident response | Yearly subscription |
| Hours covered | 35 hours | Unlimited* |
| Pricing1 | USD $17,500 | USD $1,750 |
* Unlimited for one incident per year
1 Ad-hoc incident response pricing based on average market rates, from USD 500 per hour. Blackpanda IR-1 subscription pricing based on no. of endpoints, costing approx. 10x less than ad-hoc and retainer-based incident response. All figures are illustrative only, for guidance and marketing purposes and not to be relied upon by the reader. Actual incident response costs vary by scope, complexity, and provider.
Challenge
The email arrived from a partner the company had worked with for years. It carried a shared document, nothing unusual, and a link tucked inside. When a senior administrator clicked through and signed in, the page looked exactly like the Microsoft login they used every day.
But it was not. Behind the page sat a relay that forwarded the password and the login prompt to the real Microsoft service in real time, then kept the result.
Multi-factor authentication did not stop this. Adversary-in-the-Middle (AiTM) phishing, the technique at work here, sits between the user and the genuine service and passes each security challenge along as it happens. The moment the administrator approved the prompt and chose to stay signed in, the attacker took off with a live session token — the digital equivalent of a key cut while the lock was still open. A password reset alone would not close that door.
What came next was quiet and unhurried. For more than five weeks the intruder read through finance mailboxes, learned who approved payments, and waited. Then it began writing to the company's bank in the names of two senior managers, sending nine wire-transfer instructions and chasing almost SGD 2 million. The bank rejected every one.
The fraud the company could see was only the surface. Beneath it sat a backdoor administrator account wearing the company's own name, a rogue mail connector relaying spoofed messages, and a second phishing campaign already firing more than 1,700 messages at outsiders from inside the company's own email system.
Solution
1. Secured the evidence before it could vanish
Blackpanda moved first to preserve what the attacker was working to destroy. The Blackpanda incident response team captured Microsoft 365 audit logs, mail-trace records, and a forensic image of the administrator's workstation, locking down the account activity, the mailbox rules, and the sign-in history while they still existed. The attacker had been hard-deleting messages by the dozen and dredging recovery folders, so timing mattered.
2. Rebuilt the timeline to the second
Endpoint forensics fixed the exact instant of theft, showing the stolen session replayed from overseas infrastructure within the same second the credentials were entered. That precision overturned an early reading of events. Investigators had first treated the partner organisation as a fellow victim whose warnings the attacker had silenced; the evidence showed the reverse. The partner's compromised account was the delivery vehicle, and a hidden rule had been set on day one to erase any warning the partner might send.
3. Mapped the full reach of the compromise
The team traced every foothold the attacker had planted: the backdoor Global Administrator account, the malicious inbound connector, a consented third-party application, the rogue number registered for login codes, and the inbox rules hiding the bank's replies. Seven mailboxes had been opened or exposed. No malware turned up and no machine was infected; the entire attack lived in cloud identity and mail flow.
4. Guided containment and separated friend from foe
Blackpanda worked beside the company's IT team as it reset credentials, revoked sessions, stripped the connector and rules, and withdrew the application consent. When new activity surfaced days later, the team validated each action with the affected customer rather than assuming the worst, confirming which were legitimate administrator steps and which were not. This cleared the noise and pinned the intruder's last real action to just one email.
Results
1. Not a dollar lost
The bank rejected or intercepted all nine fraudulent transfer attempts. The company's exposure to almost SGD 2 million in fraud closed at zero.
2. The true entry point, confirmed
Forensics corrected the initial account of the breach and named its real source, a trusted partner's compromised account, so the company could warn the partner and break the chain for both of them.
3. Every foothold accounted for
The incident response team identified every persistence mechanism the threat actor established. Two specific footholds — the attacker's registered phone number for secondary authentication and a backdoor administrator account — successfully evaded the initial remediation efforts, but were contained eventually.
4. A hidden liability brought into the open
The investigation revealed an unrecognised second phishing wave. Sent from the firm's own infrastructure, the campaign pushed more than 1,700 emails to hundreds of recipients across over 100 organisations, raising reputational and legal-notification risks the company had not known it carried.
5. A clear route to closure
The company received a prioritised remediation list, ordered by severity, that turned an open-ended scare into a finite set of actions.
This case follows a pattern that is simple to describe but difficult to manage in practice. From the initial relayed login and stealthy mailbox rules to the creation of a rogue connector and the mid-remediation phone registration, almost every tactical move by the attacker could have triggered an alert if proactive monitoring were in place. Implementing phishing-resistant authentication would have stopped the intrusion at its inception, while active alerting for new admin roles, inbox rules, and connectors would have reduced the response time from weeks to just minutes. These defences go in before the attack, not after it.
FAQ
1. What is Business Email Compromise, and how is it different from ordinary spam?
BEC is targeted fraud that travels inside real email, usually to redirect money. Instead of blasting obvious scams to millions, the attacker studies one organisation, impersonates someone with authority, and asks for a payment that looks routine. The FBI calls it one of the most financially damaging online crimes, precisely because the message comes from people and accounts the victim already trusts.
2. We use multi-factor authentication. How did the attacker get past it?
Most MFA confirms a login with a code or a tap, and a phishing proxy can relay that step to the real service the instant the victim approves it. This is Adversary-in-the-Middle phishing, and it steals the session rather than the password. Phishing-resistant methods such as FIDO2 keys and passkeys defeat the trick, because they bind the login to the genuine web address and refuse to authenticate against a fake one, which is why CISA now treats them as the standard worth migrating to.
3. How can a criminal send email that appears to come from our executives?
Once inside, the attacker granted itself send-as rights on senior managers' mailboxes, then wrote to the bank under their names while the managers saw nothing. It also created rules that swept the bank's replies into a hidden folder. The deception works because it borrows the company's own permissions, the same way attackers do when they impersonate a firm's people to push payment fraud.
4. The break-in came through a partner we trust. How do we defend against that?
A compromised partner is among the hardest lures to catch, because the sender and the document are genuinely real. Treat any link that asks you to sign in as suspect no matter who sent it, and confirm unexpected shared documents through a separate channel. The same habit protects payments: verifying a transfer request by phone to a known number costs just a minute and defeats most of this.
5. How did five weeks pass without anyone noticing?
Dwell time of weeks is common in identity-based attacks, because nothing crashes and no files lock up; the activity hides inside normal email use. Here the attacker also worked hard to stay invisible, deleting warnings and burying replies as it went. Without alerts on the specific events that betray this behaviour — a new admin account, a new mail connector, a new inbox rule on a finance mailbox — the signs simply pile up unseen.
6. We think this is happening to us right now. What should we do first?
Move fast, and preserve evidence instead of deleting it. Reset and revoke the affected accounts, then bring in specialists to find the footholds you cannot see on your own. Blackpanda's Emergency Incident Response team can be engaged, or you can report an incident here.
What this means for your organisation
Identity has become the perimeter, and email is where most breaches now begin. Attackers no longer need malware or a software flaw when one relayed login hands them the keys, and the fastest-growing intrusions look exactly like this one — a believable message, a stolen session, weeks of patient movement. What defines them is not technical brilliance but quiet persistence and the absence of anything obvious to notice.
Two moves change the odds. Phishing-resistant MFA closes the door this attacker walked through, and real-time alerting on identity events shrinks dwell time from weeks to minutes. For organisations that would rather have specialists already on call than assemble a response under pressure, Blackpanda's IR-1 puts incident response on standby before anything goes wrong. And for those who suspect something already has, a Compromise Assessment hunts for the footholds that hide in plain sight.
About Blackpanda
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
