INC-2025-003: March 2025 Internal Sophos Phishing Attempt
Overview
In March 2025, a senior Sophos employee received a phishing email containing a fraudulent DocuSign link. This is a well-known phishing tactic, and we assess that this was non-targeted and part of a broader spam/phishing campaign. The employee clicked the link in the email, and was taken to a fake Office 365 login page, where they entered their credentials. They then received a multi-factor authentication (MFA) challenge – triggered by our legitimate MFA process – and approved it.
The threat actor, in possession of a valid session, attempted to log in to several resources, but were blocked by our Conditional Access Policy (CAP) and account limitations.
Our internal teams escalated the incident, revoked the session, and reset the employee’s credentials.
A subsequent investigation revealed that there was no suspicious activity relating to the accounts of other users who had received the email; no successful access to, or exfiltration of, documents or resources; and no further suspicious activity on the employee’s account.
Impact
The impact of this incident was limited. While the threat actor successfully obtained a valid session, they were unable to log in to corporate services due to our CAP. They were able to log in to our corporate device enrolment portal, but were unable to make any changes or register a new device, due to limited permissions (which is by design).
Timeline
| Time | Event |
|---|---|
| March 14, 2025 15:12 UTC | Initial batch of emails received |
| March 14, 2025 16:04 UTC | User clicks link and inputs credentials; first malicious access attempt by attacker |
| March 14, 2025 16:24 UTC | The Managed Detection and Response (MDR) team investigates suspicious activity |
| March 14, 2025 16:26 UTC | MDR escalates to Internal Detection and Response (IDR) |
| March 14, 2025 16:38 UTC | User reports issue |
| March 14, 2025 16:58 UTC | IT revokes session, resets password, resets MFA |
| March 14, 2025 17:21 UTC | The IDR team removes remaining emails with Sophos Email clawback |
Analysis
The initial phishing email appeared legitimate, and aligned with internal discussions the employee had been involved in; they were expecting an email on a similar topic. After conducting due diligence, we assess that this was a coincidence, rather than the threat actor exploiting any inside knowledge. While the phishing emails were correctly categorized as spam – showing that our email controls were working as intended – some users released them from quarantine, believing them to be legitimate.
The fake Office 365 page was also well-crafted, and the (legitimate) MFA challenge helped to further persuade the user that everything was aboveboard.
Our CAP is part of our single sign-on (SSO) process, allowing us to define conditions under which access to corporate applications is granted. We use a combination of user verification and device validation, rather than network location rules (such as ‘Impossible Travel’), since the latter can be faked and result in false positives.
By design, an authenticated user can access our device enrolment portal, but adding and registering devices requires strictly managed permissions, helping to prevent attempts to circumvent our CAP.
Our Sophos X-Ops teams – SophosLabs, MDR, and IDR – and our internal IT team worked together to eliminate the threat. The employee also realized that something was amiss after approving the MFA prompt, and informed our internal security team of the incident themselves.
Resolution
Immediate actions
The SophosLabs team helped to analyze the phishing email and indicators of compromise (IOCs). Our IDR team conducted a threat hunt on our estate.
Our IT team reset the employee’s credentials and revoked all active sessions.
IOCs associated with the phishing email were blocked, and we clawed back the email from the inboxes of other employees.
Indicators and attack patterns were shared across our product teams to ensure that Sophos product defenses were further improved to prevent this threat.
We conducted an investigation and confirmed that there was no suspicious activity relating to the 15 other users who had received the phishing email, that the threat actor had not been able to access or exfiltrate any documents or resources, and that there was no suspicious activity on the employee’s device. We also continued to monitor the employee’s account for some time after the incident, to ensure that there was no further cause for concern.
Longer Term Actions
We have strengthened our email detections and ensuring that these and similar campaigns are now correctly categorized as malicious/phishing. As an example, we continued to receive very similar campaigns after this incident, targeting hundreds of users. Our response effort was greatly improved due to the newer email definitions, and the impact of these campaigns was negligible.
We continue to evaluate possibilities for the detection of fake pages. False positives are a risk, so we have to weigh that, and the fact that such detection relies on scanning content before it hits the browser, against the security benefits. However, we are actively implementing in-browser detection capabilities that can more reliably detect fake login pages.
We already implement strict FIDO2-based authentication only for certain sensitive access controls, and are planning wider deployment; while there is some user impact and the industry has some way to go to smooth the edges, we have run several trials and have scheduled more for the near future.
We have published both internal guidance and external content on passkeys, and are encouraging our staff to embrace passkeys in their personal ecosystem. We are also actively engaged in industry forums and initiatives to further increase adoption and lower the friction of passkeys.
We have reviewed our CAP and device management policy, tightening them further and carefully reviewing all non-CAP protected resources.
Our internal security team and CISO presented an internal webinar on this incident to raise awareness and highlight the lessons learned.