.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Better together: Sophos MDR and Microsoft break the AiTM chain
Organization: Construction and Engineering industry, 1000 employees, Berlin, Germany
Solution: Sophos MDR
Adversary behavior
A threat actor launches a broad phishing campaign that reaches several users at this German construction & engineering organization. The email contains a link hosted on a legitimate "linktree" style platform (the kind commonly used on social media), allowing it to slip past the firm's existing email security controls and appear benign at first glance. A few employees interact with the message, but one duped user follows the link through to an attacker-controlled spoofed Microsoft 365 login page. Believing it to be legitimate, the user enters their credentials, unknowingly handing them to the adversary.
Armed with stolen credentials, the attacker begins authenticating into the user's account from two out-of-region IP addresses associated with known AiTM (Adversary-in-the-Middle) infrastructure. Once inside the account, they prepare for a more serious BEC (Business Email Compromise) attack by creating covert inbox rules designed to redirect replies to a hidden folder.
Threat detection
Sophos MDR receives a burst of near real-time, varied detections as the attacker progresses through the AiTM attack. The first alerts flag malicious sign-ins from two known AiTM infrastructure IPs. Immediately after, a Sophos MDR proprietary detection built to ingest and interpret Microsoft Graph Security telemetry identifies the activity as an active AiTM user-compromise event. Other Microsoft-sourced detections follow, including risky sign-ins after link clicks and inbox rule creation.
Investigation
No single alert here can tell the whole story. Sophos MDR expertly correlates Microsoft Graph Security telemetry, which quickly reveals a clear attack chain. By aligning the phishing email interaction, credential theft, malicious sign-ins, and inbox-rule creation, MDR turns multiple incoming Microsoft-sourced detections into a clear picture of the adversary's actions. Within minutes, analysts confirm both the scope and intent of the intrusion with confidence.
Response
With findings confirmed, and this customer operating in "Collaborate" mode with Sophos MDR, we contact the customer and guide them through full containment and remediation—all completed in under two hours. The phishing email is deleted from the environment, active adversary sessions are revoked, the compromised user's credentials are reset, and Microsoft 365 response actions are enabled to prevent any further misuse of the account. To harden defenses beyond this immediate incident, MDR also advises the customer to implement MFA, enforce geolocation-based Conditional Access policies, and enable additional Microsoft 365 response automation for better protection against similar threats in the future.