2 posts tagged with "M365"

MFA was enforced. The tenant had a third-party MFA provider through Conditional Access. Every sign-in log entry showed a successful authentication. No password spray. No credential theft. And yet the attacker had a valid refresh token and access to the mailbox.

The entry point was a device code phishing link. Once I understood the mechanism, everything made sense.

Almost every M365 BEC investigation I have worked follows a similar pattern: someone clicks a link, credentials get harvested, and the attacker spends the next several days quietly reading email. The entry point is obvious by the time it surfaces. What takes longer to find is the persistence mechanism the attacker left behind. Most of the time, that mechanism is a single inbox rule sitting in the compromised mailbox with a name that looks like a typo.