.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
MDR vs. BEC – A Sophos MSP win
Partner: Incident Response Provider, California, US
Organization: Construction industry, 1–50 employees, Florida, United States
Solution: Sophos MDR
Adversary behavior
This attack begins with an Adversary-in-the-Middle (AiTM) phishing campaign using the WikiKit / Sneaky2FA toolkit. Delivered through a phishing link that leads to a highly realistic Microsoft 365 login page, the kit deceives a user into entering their credentials, enabling the threat actor to steal the username, password, and even authentication elements like 2FA codes and session tokens. With these, the attacker briefly gains what appears to be legitimate access to the account.
Threat detection
This customer is supported by a Managed Service Provider (MSP) with Incident Response capabilities. The MSP uses Sophos MDR in "Authorize" mode, which quickly detects the intrusion and allows Sophos to act on their behalf. A proprietary Sophos WikiKit-specific detection identifies the exact compromised user, and telemetry confirms the attacker is using a valid session token—a clear sign of an AiTM attack. This suspicious login behavior elevates the alert instantly.
Investigation
During investigation, Sophos MDR analysts find that the attacker has already begun staging a Business Email Compromise (BEC) attack, including attempts to create new forwarding inbox rules. But just 95 seconds after the attacker accesses the account, MDR intervenes.
Response
Operating in "Authorize" response mode, MDR immediately blocks all sign-ins for the compromised user and revokes every active session using Microsoft 365 response actions, cutting off the threat actor's access entirely. With the threat contained, MDR guides the MSP through full remediation for their customer: reviewing sign-ins, resetting credentials, re-enrolling MFA, auditing mailbox rules, and educating the user on AiTM risks. These steps deliver a clean recovery, prevent a costly BEC event, and strengthen trust across the MSP, the end customer, and their cyber insurance partners—ensuring no claim, no disruption, and no downstream impact.