It started like many breaches do … quietly.
One of our clients received what looked like a routine email from a trusted business partner. No red flags. No typos. Just a link and a simple request. But behind that familiar logo and friendly wording was a weaponized trap, and the first domino in a sophisticated Adversary-in-the-Middle (AiTM) attack.
Have you ever wondered what really happens inside a Security Operations Center (SOC) during a cyberattack? Here’s a behind-the-scenes look at how our team at The Collective neutralized a sophisticated Adversary-in-the-Middle (AiTM) breach, demonstrating how a modern SOC as a Service operates under pressure … and wins.
The Attack: A Familiar Face, a New Threat
The user clicked. They logged inn, unknowingly handing over their credentials to a fake site.The attackers didn’t need the password alone. They hijacked the session token, sidestepping multi-factor authentication entirely. Within seconds, they were inside — reading emails, scanning cloud files, digging for value.
In this particular case, a user received an email from a known business partner, unaware that their account had already been compromised. The message led to a fake login page, where the user unknowingly entered their credentials. This allowed the attacker to hijack the session token, bypass multi-factor authentication (MFA), and gain unauthorised access to sensitive emails and cloud files.
But the attacker’s window of opportunity was short lived. Here’s how our SOC and Microsoft Defender responded:
SOC Response, By the Numbers
- Time to Respond: 9 minutes from alert to analyst action.
- Remediation Time: 4 minutes from detection to account disablement.
- Client Communication: Immediate notification and full transparency throughout.
During the investigation, a clear picture emerged:
- The attacker replayed a stolen session token from an unknown macOS device in the U.S.
- They accessed limited data, only Exchange and OneDrive were touched and were immediately disabled.
- No lateral movement, no elevated privileges: the attack was detected and contained.
- Over 30 users were targeted, but all accounts were quickly identified and secured.
- Bonus insight: our logs flagged suspicious link clicks from deactivated accounts, that turned out to be harmless: anti-spam systems were just scanning bounce-backs. This highlights the value of having clean, well-tuned telemetry when performing in-depth investigations, even for issues that later turn out to be non-malicious or architectural in origin.
Key Lessons for Every Organization
- MFA isn’t enough:
Modern attackers can bypass it. Want real resilience? Use number matching, device restrictions, biometrics (Fido2) keys and geo-aware prompts. - Trusted domains aren’t always safe:
Even familiar contacts can become threat vectors. A known contact doesn’t mean a safe message. Always verify unexpected requests – even from familiar domains – and investigate trust relationships after an incident to prevent repeat exploits. - Seconds matter, and automation is your ally:
Attackers don’t wait. Without automated detection and response, they can move fast, gaining access, exfiltrating data, or escalating privileges before a human even sees the alert. Implement automated playbooks, real-time monitoring, and fast-response protocols to cut them off in time. - SOC as a Service scales protection:
With SOC as a Service, threat indicators spotted in one environment are instantly applied across all clients. That means phishing campaigns seen elsewhere are blocked in your environment before they ever reach your doorstep.
For the client, it meant no business disruption, no data leak, and no public breach notification. For the attacker, it meant hitting a wall… fast.
Want to see how this defense works in your environment? Let’s connect. We’ll show you how our SOC turns real-world attacks into client wins.
Curious to learn more? Listen to our SOC podcast episode, where our SOC experts share real-world stories and actionable advice. And if you’re ready to strengthen your security posture, reach out to The Collective for a hands-on consultation.
Are you ready to strengthen your own organization’s security posture? Contact The Collective today to discover how our hands-on approach can help you implement effective password management and boost your business resilience.