Microsoft 365 credential capture and re-use 

Microsoft 365 credential capture and re-use

Organization: Marketing consulting industry, 1200 employees, UK

Solution: Sophos MDR, + Microsoft 365 Mgmt. Activity Integration

Adversary behavior 

The attacker initially creates a Dropbox account to use for a phishing attack using a compromised supplier's email address. At 11:41 UTC, the attacker sends a phishing email with a malicious PDF attachment to an employee. Multiple email security technologies fail to detect the threat. At 12:03 UTC, an employee opens the attachment and enters their credentials. The malicious PDF file also captures the employee's MFA token, giving the attacker full access to bypass multi-factor authentication and authenticate as the legitimate user.

Threat detection 

A proprietary Sophos detection rule identifies successful Microsoft 365 logins for the targeted employee at 12:24 UTC where the user agent string is suspicious, indicating a potential session compromise. A case is automatically created for Sophos MDR to investigate, and an alert is sent to the customer's security team.

Investigation 

The Sophos MDR analyst investigates login activity using telemetry from the Microsoft 365 Management Activity integration. Analyzing the targeted employee's standard login patterns, Sophos MDR determines that the activity is anomalous—confirming that the attacker has successfully captured and re-used the employee's credentials and MFA token to gain unauthorized access.

Response 

The Sophos MDR analyst advises the organization at 12:29 UTC to reset the employee's compromised credentials and terminate active sessions in Microsoft Entra ID. Sophos also recommends reviewing MFA devices for the affected employee. The customer applies the recommended actions at 13:30 UTC and the account is secured. In just over an hour from initial detection, Sophos MDR enables the customer to contain the credential compromise and prevent potential Business Email Compromise (BEC) or data exfiltration attacks.