MFA was enforced. The tenant had a third-party MFA provider through Conditional Access. Every sign-in log entry showed a successful authentication. No password spray. No credential theft. And yet the attacker had a valid refresh token and access to the mailbox.
The entry point was a device code phishing link. Once I understood the mechanism, everything made sense.
When a user reports a phishing email, the ticket lands and someone has to deal with it. Without automation that means: download the .eml, open it in a text editor, read through several hundred lines of raw headers, manually pull SPF/DKIM/DMARC verdicts, and write up a note. Every analyst does it slightly differently. Some do it thoroughly. Some do it fast. Most do it inconsistently at 4pm on a Friday.
I built an automation that fires the moment the ticket is created, parses the attached .eml, evaluates authentication headers, and posts a structured triage summary back to the ticket (usually within a few seconds of the ticket opening). Here is what it does and the part that would have burned me if I had not caught it.