.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
BEC threat actor stopped in 84 seconds
Partner: IT Services Provider, South Carolina, US
Organization: Business consulting firm, 100-150 employees, New York, US
Solution: Sophos MDR
Adversary behavior
The attacker uses the FlowerStorm AiTM (Adversary in the Middle) phishing kit, a sophisticated phishing as a service platform, to gain control of a user's Microsoft 365 account at this business consulting firm. FlowerStorm delivers highly convincing phishing emails and spoofed login pages that capture credentials and session tokens in real time, allowing attackers to bypass MFA and operate as fully authenticated users. Once inside, the attacker authenticates across multiple session IDs and source IPs to maintain access and creates an inbox rule that diverts emails from a known supplier into the “Conversation History” folder and marks messages as “read.” This stages a classic Business Email Compromise (BEC) attack, most likely preparing to execute wire fraud.
Threat detection
Sophos MDR identifies the attack through a purpose-built detection for the FlowerStorm AiTM phishing kit, combined with behavioral signals across identity and email activity. Sophos detections catch abnormal session behavior (the multiple session IDs and source IPs tied to a single account) and the creation of hidden mailbox rules, revealing a full BEC attempt.
Investigation
Within seconds of detection, Sophos’ AI-native analysis correlates activity across identity and email layers, confirming with high confidence that the compromised account is part of a multi-stage attack. This rapid correlation gives Sophos MDR enough evidence to contain the threat immediately, without waiting for manual triage. Human analysts then validate the attacker’s intent by confirming the subtle inbox rule was created specifically to divert emails from a known supplier — a strong indicator that the attacker was preparing for wire fraud. This combination of automated correlation and human expertise delivers both speed and certainty, guiding clear response actions while confirming nothing is missed.
Response
Sophos MDR immediately contains the attack through automated response actions. Within 84 seconds, the user sign-in is blocked and all active sessions are revoked, cutting off attacker access before any further activity can occur. With the threat contained, Sophos MDR analysts ensure full remediation by identifying the exact malicious inbox rule and removing it. This agentic response with human judgment delivers both speed and completeness—stopping the attack in seconds while ensuring nothing is left behind.