The credentials were valid. The employee wasn’t.

The scenario:

A client’s office manager logged in at 3am from another country. Except she didn’t. 

Her password from a 2021 breach still worked. She’d reused it across three platforms. The attacker didn’t need to hack anything. They bought a credential list, ran it through an automated tool, and walked in through the front door. 

No malware. No exploit. No alert. The credentials were valid. 

The attack:

STAGE 1: PREPARATION

Attacker purchases leaked credential database from a 2021 data breach.

Cross-references email domains against known business targets.

Identifies 340 email/password pairs matching the client’s domain.

-

STAGE 2: AUTOMATED TESTING

Runs credential pairs against Microsoft 365 login using distributed proxies.

Throttles attempts to 2 per account per hour to avoid lockout policies.

Successfully authenticates with 12 accounts (3.5% success rate).

MFA prompts are bypassed on 3 accounts using legacy authentication protocols.

-

STAGE 3: ACCESS AND ENUMERATION

Logs into the office manager’s account (no MFA on legacy protocol).

Accesses SharePoint, OneDrive, and shared mailboxes.

Downloads client contracts, financial documents, and HR files.

Creates an inbox rule forwarding all incoming mail to an external address.

-

STAGE 4: PERSISTENCE

Registers a new MFA device on the compromised account.

Creates a mail flow rule to delete security alert emails.

Begins monitoring email for invoice and payment conversations.

Attack remains undetected for 11 days.

-

What stopped it:

A SOC analyst reviewing impossible travel alerts flagged the 3am login from a geographic location inconsistent with the employee’s pattern. Investigation revealed the inbox rule and the registered device.