Adversary-in-the-middle attack (AiTM) targeting Microsoft 365

Adversary-in-the-middle attack (AiTM) targeting Microsoft 365

Organization: Retail industry, 1K+ stores, 9K+ employees, UK and Ireland

Solution: Sophos MDR, +Microsoft 365 Mgmt. Activity Management

Adversary behavior 

The attacker sends a phishing email pretending to be a shared OneNote file from a known supplier, containing a link to a fake Microsoft login page. The user logs in, and the attacker steals their credentials and session token. Armed with this access, the attacker logs into portal[.]office[.]com with the user's credentials and modifies a Microsoft Teams link in an existing calendar invitation—a common tactic used to stage Business Email Compromise (BEC) attacks or distribute malicious links to the user's contacts.  

Threat detection 

A proprietary Sophos detection rule identifies successful logins to 'portal.office.com' for the targeted user where the user agent string is suspicious—indicating a potential Adversary-in-the-Middle (AiTM) session compromise. A case is automatically created for Sophos MDR to investigate.  

Investigation 

The Sophos MDR analyst reviews Entra ID sign-in logs for the targeted user, who is office-based in the U.K., and identifies successful logins to 'portal.office.com' from IP addresses geolocated in the USA, the Netherlands, and Germany. The analyst uncovers the modification made to the user's calendar invitation by the attacker, confirming the scope and intent of the compromise. 

Response 

The Sophos MDR analyst advises the organization to block the phishing email sender and reset the user's compromised credentials. The analyst provides guidance on terminating authentication tokens in Microsoft Entra ID and recommends setting up a conditional access policy to restrict logins for office-based employees to their specific geolocations. The case is closed in just two hours from initial detection, preventing further account abuse and strengthening defenses against future AiTM attacks.