.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Rockstar 2FA phishing attack neutralized by Microsoft 365 response actions
Organization: Automotive industry, 2800 employees, Alabama, USA
Solution: Sophos MDR, + M365 Mgmt. Activity Integration, + M365 Response Action Integration
Adversary behavior
The adversary successfully executes a phishing attack and logs in to the user's Microsoft 365 account with stolen credentials at 12:56 UTC. The attacker uses the "Rockstar 2FA" phishing kit designed to target Microsoft and Google accounts using adversary-in-the-middle (AiTM) techniques to steal credentials and bypass MFA. The phishing-as-a-service (PaaS) kit often uses compromised accounts and legitimate email platforms to deliver phishing links, directing victims to realistic fake login portals.
Threat detection
A proprietary Sophos detection rule for Microsoft 365 identifies the use of the Rockstar 2FA phishing kit for authentication at 13:12 UTC. A case is generated automatically and assigned to a Sophos MDR security analyst for investigation.
Investigation
The analyst investigates at 13:13 UTC and uses Microsoft 365 response actions to neutralize the threat directly. By analyzing authentication telemetry and correlating the phishing kit signature with user login patterns, the analyst confirms that the user's account has been compromised and that immediate containment is required to prevent Business Email Compromise (BEC) or data exfiltration.
Response
The Sophos MDR analyst uses Microsoft 365 response actions to disable sign-in and terminate active sessions for the compromised user account at 13:46 UTC and 13:48 UTC. The analyst escalates the activity to the customer and requests a password reset for the user's Microsoft 365 account. At 14:05 UTC, the customer confirms that the user's password has been reset. The analyst then re-enables user sign-in to restore access to the M365 account. From initial detection to full containment and account restoration, the complete response is executed in just over one hour—stopping the attacker before they can exploit the compromised account.