When trust backfires
Published: 7 May 2025
Prepared by: Mihir Bhanushali, Level 3 Security Analyst, Security Operations Centre
Just another morning?
A routine click, a familiar logo, a message about a blocked email. Nothing dangerous, or so it seemed. Thousands of miles away, an intruder was already clearing their path into someone’s account. No lock-picks, no alarms. Just a stolen session token and the keys to someone else's corporate kingdom.
This wasn’t a breach. It was an infiltration, fast, invisible, and nearly perfect.
Until it wasn’t, because we caught it.
☕ 9:29 AM AEST | The attack: a blocked email that got through
The attacker sent a phishing email. Although the email gateway blocked it, the system notified the user via a message digest; a summary showing blocked emails and offering the option to release them.
💌 10:15 AM AEST | The user clicked ‘Release Email’
The victim decided to release the email - one minute later, the phishing email hit their inbox. Disguised as a healthcare-related message, the email mimicked trusted branding and included a fake attachment. The link led the user to a site impersonating a document viewer. When clicked, it redirected to a credential harvester; a fake login page designed to steal Microsoft 365 credentials and MFA tokens.
🔓 10:20 AM AEST | Initial access: hijacked in six minutes
The victim entered their credentials and approved an MFA prompt. Just one minute after interacting with the link, the attacker had access. The login originated from a web hosting IP in the U.S., confirming session token theft. The attacker didn’t need the MFA again — the session token gave them full access.
🚨 10:22 AEST | We detected something suspicious.
Triskele Labs' Security Operations Centre (SOC) detected suspicious behavior: a user clicked a malicious link, followed by a login from the United States. The user was based in Australia. Our SOC analyst flagged the activity and escalated it to the client.
⛔ 10:29 AM AEST | Containment: stopping the breach in seven minutes
The investigation revealed a case of session token theft — a method that allows attackers to hijack active sessions and bypass passwords and multi-factor authentication (MFA). The SOC acted fast. At 10:29 AM, we disabled the compromised account. One minute later, we revoked the session token. The password was reset.
🌃 07:27 PM AEST | Threat Actor tries again.
Later that evening, the attacker tried to log in again and failed. Triskele Labs investigated six Indicators of Compromise (IOCs) and confirmed the threat was contained.
Related read: https://www.triskelelabs.com/understanding-token-theft
