.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Collective immunity: Sophos MDR stops Microsoft phishing campaign targeting multiple customers
Organization: All industry, 1+ employees, Alabama, All country
Solution: Sophos MDR
Adversary behavior
The adversary sends a phishing email that results in an employee's account being compromised. The adversary uses the compromised account to send phishing emails pretending to be a shared OneNote file from a known supplier with a link to a fake Microsoft login page. These emails are sent to both internal and external recipients, enabling the attacker to scale the campaign beyond the initial victim organization.
Threat detection
Using telemetry from the customer's Microsoft technologies, Sophos MDR detects multiple user account compromises within the customer's Microsoft 365 environment and generates an alert at 7:31 UTC.
Investigation and containment
Sophos MDR identifies seventeen compromised accounts at 09:54 UTC and escalates the case for urgent response. With the customer's approval, the Sophos MDR analyst disables the affected accounts in Microsoft 365 and Active Directory to contain the attack. Sophos MDR analysts then review the phishing emails sent to external recipients and identify thirty targeted organizations, including a second Sophos MDR customer.
Collective immunity activation
At 11:50 UTC, Sophos MDR notifies the second customer before they access the phishing link, preventing further compromise. This real-world example demonstrates how rapid detection, effective escalation, and shared intelligence across Sophos' expansive customer base stopped a major phishing campaign in its tracks—protecting not just one organization, but an entire network of potential victims through collective immunity.