ShieldWatch Stops MFA Bypass Phishing Attack in Under 30 Minutes

ShieldWatch Stops MFA Bypass Phishing Attack in Under 30 Minutes
Industry:
Confidential (mid-sized organization)
Location:
United States
Environment:
Microsoft 365, Microsoft Entra, Cisco Umbrella, Active Directory
ShieldWatch Capabilities Enabled:
ChatOps, Threat Enrichment, Manual Containment

The Threat

A targeted phishing campaign attempted to exploit Adversary-in-the-Middle (AiTM) tactics by redirecting users to a fake login portal that captured valid MFA session tokens. These session tokens bypass traditional MFA checks and give attackers full authenticated access.

What Happened:

  • All three targeted employees clicked the phishing link.

  • Two of them entered their credentials into the fake site.

  • Session tokens were instantly harvested and could be used by the attacker to impersonate the users.


Detection & Analysis

ShieldWatch instantly grouped related detections into two primary cases, each consisting of several alerts. One early detection was flagged as “benign” by Microsoft, claiming it was “mitigated” with MFA. However, ShieldWatch recognized this as an MFA bypass attempt using a reverse proxy, thanks to threat intel enrichment and behavioral analysis.

Key Details:

  • ShieldWatch identified and enriched the event with known indicators of MFA phishing infrastructure.

  • The login appeared to originate from Singapore, but both users were confirmed to be physically in the U.S..

  • ChatOps was activated to notify the users via email and request confirmation of the login activity.

  • Both users replied: “NO, that was not me.”


Timeline of Events

Time

Action

T+0

Phishing email received & clicked by 3 employees

T+5m

ShieldWatch triages and correlates detection patterns

T+6m

Threat intelligence confirms MFA reverse proxy attack

T+7m

ChatOps initiated to notify affected users

T+17m & T+27m

Manual containment triggered for both compromised accounts

 

Response & Containment

Although automatic containment was not enabled, ShieldWatch escalated the event in real-time to the designated security administrator. Upon review, the admin confirmed the threat and used the “Contain” feature to:

  • Isolate endpoints via EDR

  • Disable user accounts in Microsoft Entra & Active Directory

  • Terminate all active sessions, including those captured by the attacker

  • Log the entire response flow in ShieldWatch’s case timeline for auditability

Total attacker access:

  • 27 minutes for the first victim

  • 17 minutes for the second


Data Analysis via ShieldWatch’s Data Lake

Using ShieldWatch’s integrated data lake (powered by ClickHouse), analysts were able to:

  • Instantly locate the first DNS query to the attacker’s domain

  • Trace all relevant user, host, IP, and domain activity within the threat window

  • Correlate cross-platform data (Cisco Umbrella, Microsoft Entra, EDR tools) via vendor-neutral OCSF fields

This holistic view enabled security teams to validate that no data was exfiltrated and confirmed that all malicious interactions were contained within a short time frame.

 

Results

Metric

Outcome

Users Affected

3 (2 compromised)

Time to First Detection

Minutes

Time to Containment

17–27 minutes

Material Impact

None

Automation Mode

ChatOps + Manual Containment

Attack Type

MFA Reverse Proxy (AiTM)

Tools Used

ShieldWatch, Cisco Umbrella, Microsoft Entra, AD

 

Lessons Learned

Session tokens must be treated as credentials

ChatOps reduces dwell time and involves users immediately

MFA alone is not enough—AiTM phishing attacks are on the rise

Threat enrichment matters: vendor verdicts are not always reliable

Customer-controlled automation builds trust without sacrificing speed

Data lake visibility enables root cause and impact analysis instantly


Bottom Line

ShieldWatch once again proved that speed, visibility, and automation—when paired with smart escalation workflows—can stop a breach before it becomes a headline. With 100% transparency, cross-tool correlation, and client-controlled containment, the platform delivered a win for the good guys.


Want to Know if Your MFA Is Truly Protecting You?

Schedule a breach simulation or security audit with ShieldWatch to uncover hidden risks in your authentication systems.

👉 Talk to a Specialist