Case Studies

MFA Bypass Attack at Singapore IT Services Firm — Blackpanda IR-1 Containment of AiTM Credential Theft

LAST EDITED:
PUBLISHED:
November 28, 2025

A Singapore IT services firm was compromised through an adversary-in-the-middle phishing attack that harvested credentials and bypassed MFA. The attacker accessed a corporate mailbox, registered a malicious Azure AD application, and launched a phishing campaign to over 500 recipients. Blackpanda IR-1 responders contained the incident and guided remediation.

Summary
In October 2025, a Singapore IT services firm detected suspicious outbound messages sent from an employee’s Microsoft 365 account. What initially appeared to be isolated spam was later confirmed as a full mailbox compromise driven by a sophisticated adversary-in-the-middle (AiTM) phishing attack — the same technique used by modern phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA.

Blackpanda’s investigation determined that the victim user unknowingly entered their Microsoft 365 credentials and one-time passcode (OTP) into a cloned authentication page. The attacker relayed both the credentials and OTP in real time, successfully bypassing MFA and establishing a valid session from the United States.

Three days later, the attacker escalated the compromise by registering a malicious Azure AD application to maintain long-term access without reauthentication. Two weeks later, they used the compromised mailbox to send phishing emails to more than 500 recipients, attempting to harvest credentials at scale.

Blackpanda’s IR-1 team reconstructed the timeline, removed attacker persistence, and delivered a full set of tactical and strategic recommendations — including phishing-resistant MFA, mailbox rule auditing, Azure AD application governance, and user training focused on emerging AiTM threat patterns.

Cost Savings Snapshot: Immense Cost Efficiency Achieved for a Small-Medium Business (SMB) with a Blackpanda IR-1 Annual Subscription

Under a 12-endpoint* Blackpanda IR-1 subscription, the Singapore firm paid approximately 100 times less than the amount it would have cost them to contain the incident on an on-demand or traditional retainer basis.

*A qualifying endpoint covered by Blackpanda IR-1 is defined as any physical or virtual device with an operating system (OS), such as laptops, security cameras, workstations and virtual machines, and excluding smartphones. All prices are indicative and subject to change at any time. Terms and conditions apply.

→ Protect my organisation<br>today with Blackpanda IR-1

The Incident: MFA Bypass Through Adversary-in-the-Middle Phishing

On 2 October 2025, the firm observed suspicious outbound messages from one employee mailbox. The user had not sent these messages, prompting the firm to activate Blackpanda IR-1.

Upon analysis of local browser history and Microsoft 365 telemetry, Blackpanda determined that about three weeks prior, the employee visited a malicious phishing page hosted on AWS. The page displayed a Cloudflare “Verify You Are Human” challenge — a known feature of Tycoon 2FA–style AiTM platforms — before redirecting the user to a spoofed Microsoft login page.

Within minutes of entering their credentials and OTP, Microsoft 365 recorded a successful sign-in from the United States, executed via an automated script using the Axios client. This confirmed a real-time relay and MFA bypass, enabled by session cookie theft.

Threat Actor Activity and Post-Compromise Behaviour

1. MFA Bypass and Mailbox Access

The attacker immediately authenticated to the mailbox using the stolen session cookie after the user submitted credentials on the phishing page.

2. Malicious Azure AD Application Registration

Three days after the initial access, the attacker registered a new Azure AD application named “test” using Azure CLI.

  • Multi-tenant enabled
  • Likely used to maintain persistent access through Microsoft Graph API
  • Increasingly common in OAuth-based persistence attacks

3. Phishing Campaign to More than 500 Recipients

Two weeks after the initial compromise, the attacker created a mailbox rule designed to suppress detection:

  • Mark messages as read
  • Delete messages
  • Stop processing subsequent rules

Minutes later, they sent phishing messages to more than 500 internal and external recipients using a multi-stage AiTM redirect flow:

  1. “Document access” lure
  2. Cloudflare verification page
  3. Spoofed Microsoft 365 login portal

This flow matched the known kill chain of Tycoon 2FA AiTM campaigns documented throughout 2024–2025.

→ Protect my organisation<br>today with Blackpanda IR-1

Key Findings

  • User credentials and OTP were harvested via an AiTM phishing attack.
  • MFA did not fail — it was bypassed via real-time token theft.
  • Attacker authenticated from the U.S. using a programmatic client.
  • OAuth application registered for persistence using Azure CLI.
  • Malicious inbox rule created to evade detection.
  • Large-scale phishing campaign executed from the compromised mailbox.
  • Attack infrastructure and behaviour matched Tycoon 2FA TTPs.

What Could Have Happened Without IR-1

Without rapid response, the firm risked:

  • Persistent attacker access through OAuth
  • Secondary compromises via outbound phishing
  • MFA reset bypass through token reuse
  • Mailbox manipulation and data loss
  • Full tenant-level exposure
  • Reputational harm from broad external phishing

Blackpanda’s response ensured full visibility, containment, and guided remediation.

→ Protect my organisation<br>today with Blackpanda IR-1

Long-Term Resilience: Blackpanda Recommendations

People

  • User training on AiTM phishing indicators
  • Mandatory internal reporting escalation channels
  • Reinforcement of safe email practices

Process

  • Enforce global MFA
  • Audit and restrict Azure AD app-consent policies
  • Mandatory mailbox rule audits after any suspected compromise
  • Review of conditional access policies
  • Regular compromise assessments

Technology

  • Deploy phishing-resistant MFA (FIDO2, Windows Hello, passkeys)
  • Implement Azure AD consent governance
  • Disable user-initiated app consent where not needed
  • Enhance monitoring for anomalous geolocation or automation patterns
  • Integrate EDR telemetry with identity logs for unified detection

Already an IR-1 Customer? You’re Covered.

IR-1 subscribers gain:

  • 24/7 access to Blackpanda’s DFIR responders
  • Enhanced cyber readiness with Attack Surface Readiness (ASR) and Dark Web monitoring
  • Access to faster claims and discounted cyber insurance premiums

When attackers bypass inboxes, MFA, or user awareness — IR-1 ensures immediate, expert-led containment.

→ Protect my organisation<br>today with Blackpanda IR-1

Frequently Asked Questions

1) What triggered the IR-1 response?

A client reported receiving unexpected emails from an employee’s mailbox. The user did not send these messages, indicating that the account was likely compromised.

2) How did the attacker bypass MFA?

The attacker used an adversary-in-the-middle (AiTM) phishing site displaying a Cloudflare verification page. The user’s credentials and one-time passcode (OTP) were relayed in real time to Microsoft 365, allowing the attacker to redeem a valid session token.

3) Did the attacker gain full mailbox access?

Yes. The stolen session token allowed the attacker to access the mailbox via web browsers on remote systems, despite MFA being enabled.

4) What persistence mechanisms were used?

Three days after the compromise, the attacker registered a malicious Azure AD application using the Microsoft Azure CLI. This OAuth application could grant long-term access to email and Microsoft Graph APIs even after a password reset.

5) Was there internal lateral movement?

No lateral movement across endpoints or servers was identified. The attacker focused on identity-level persistence and email-based credential harvesting.

6) Why were some mailbox actions hidden from the user?

The attacker created a mailbox rule that automatically marked incoming emails as read, deleted them, and halted further processing — a common technique used to conceal alerts or suspicious replies.

7) What was the purpose of the phishing campaign?

Using the compromised mailbox, the attacker sent phishing emails to more than 500 internal and external recipients. The goal was to harvest additional corporate credentials through a spoofed Microsoft 365 login portal protected by Cloudflare redirects.

8) How was persistence removed?

Blackpanda deleted the malicious Azure AD application, removed unauthorised mailbox rules, reset credentials, terminated active sessions, and validated the user’s authentication methods.

9) Could the attacker have escalated access without containment?

Yes. The OAuth app could have allowed long-term mailbox access, additional phishing waves, MFA bypass, or further identity compromise.

10) What long-term controls were recommended?

Key recommendations include deploying phishing-resistant MFA, restricting Azure AD app consent, auditing mailbox rules, enforcing global MFA, and enhancing identity monitoring and user awareness training.

Other case studies

Case Studies

Server Weaknesses Exposed at Regional Entertainment Firm — Blackpanda Containment in 48 Hours

A regional entertainment company discovered unauthorized virtual machines, lateral movement, and suspicious RDP activity across its servers. Blackpanda IR-1 responders contained the threat, reconstructed attacker activity, and guided recovery despite missing evidence and reformatted systems.

View case study
Case Studies

Exchange Server Exploited: Hackers Breach Hong Kong Investment Firm — Blackpanda Containment in 24 Hours

A Hong Kong investment firm suffered a full Active Directory compromise through unpatched Microsoft Exchange ProxyShell vulnerabilities. Blackpanda IR-1 responders contained the attack, traced the threat actor, and restored control within 24 hours—proving the value of always-on cyber first response.

View case study
View all

Related articles

React & Respond

What Is Incident Response?

And why every business needs a cyber fire department.

News

From First to Last Line of Defence: How CISOs Are Rewriting Enterprise Resilience in the AI Era

At GovWare 2025, Blackpanda, Lenovo, and SentinelOne united the region’s cybersecurity leaders to redefine enterprise resilience — from first to last line of cyber defence.

News

Japan’s Cyber Wake-Up Call: CNN Features Blackpanda’s Masaki Hiraoka on Asahi Ransomware Attack

CNN taps Blackpanda’s Masaki Hiraoka in a report on the Asahi ransomware crisis — why response & recovery readiness now define cyber resilience in Japan and Asia.

View all
News

Mitsui Bussan Secure Directions, Inc. launches Blackpanda IR Retainer, a cyber incident emergency response retainer service

Mitsui Bussan Secure Directions Inc. (Head Office: Chuo-ku, Tokyo; Representative Director and President: Daisen Suzuki; hereinafter “MBSD”) will start providing a cyber incident response (hereinafter “IR”) retainer service in collaboration with BLACKPANDA JAPAN K.K. (Head Office: Chiyoda-ku, Tokyo; Representative Director: David Yu Suzuki; hereinafter “Blackpanda”). The retainer service allows customers to proactively engage Blackpanda’s elite cyber incident response services on standby in advance for potential cyber security incidents. Through the retainer service, customers can seize control of cyber incident response - enabling them to smoothly and quickly execute incident response protocols when triggered, thereby reducing the risks and costs of reactively engaging incident response services from IR vendors after incidents have occurred.

React & Respond

Everything you need to know about incident response

Learn more about the ins and outs of incident response

The Basics

How secure are cryptocurrencies?

An overview of frequently asked questions about cryptocurrency cyber security.

View all