UnderDefense Helps Industry Leader Fortify Security After Azure AD Phishing Breach


Our client is at the forefront of the industry, boasting a team of seasoned professionals with extensive experience in marketing insurance and financial services. Their role and obligation are to equip agents across organizations of all sizes with the tools and support needed to elevate their professionalism while making customer management and market outreach more accessible and cost-effective. They’re reshaping the landscape of the insurance and financial services sector, offering transformative solutions that redefine success in the industry.

The Challenge

As organizations increasingly rely on cloud-based identity management solutions like Azure Active Directory (now known as Entra ID), they face many challenges, including security breaches, unauthorized access, and data leaks.
Our recent client engagement vividly illustrates these risks.
In this specific case, the hacker’s plan was meticulously crafted. They used phishing method to deceive both the CEO and the invoice recipient. By infiltrating the CEO’s Azure AD account, the hacker gained access to privileged information and leveraged it to perpetrate a fraudulent scheme.
The attacker’s strategy involved continuing a legitimate invoice email thread, establishing trust and authenticity. Subsequently, they manipulated the invoice files to embed incorrect payment details, directing funds to their accounts. The hacker employed inbox rules to conceal the email conversation from the “real” CEO and other employees to evade detection.
This incident prompted the client to seek our assistance, highlighting the critical need for robust security measures and proactive threat detection.
Here are the main challenges we faced:
  • Incident out of SOC monitoring scope: The client’s existing security setup, including the partnership with the UnderDefense SOC team, did not include logging of Microsoft 365 activity. This limitation hindered our SOC team’s detection and response capabilities, making it more difficult to identify suspicious behavior or unauthorized access attempts in real time.
  • Lack of awareness of Azure AD risks: The client lacked awareness of how attackers could breach their Azure AD environment and the associated risks.
  • Risks to contracts, emails, and communication: The client was unaware of the potential risks to their contracts stored in SharePoint, sensitive emails, and communication with partners and customers within Azure AD.



 Lack of knowledge on how to react to phishing incidents and how to identify their origin and fully remediate them

 Provided DFIR where identified who and how exactly was breached, explained the attack timeline to the client, and eradicated hackers’ way into Azure AD. Otherwise, the hackers would have had unrestricted access to the CEO’s account, including all files and emails.

 Azure AD environment was not secured with Conditional Access, device management, and strong MFA policies

Provided a list of improvements and tailored recommendations on why and how to implement the policies.

Now the client is fully secured from attacks based on password guessing and much less vulnerable to all kinds of Azure AD phishing attacks.

 Azure AD environment was not monitored for anomalies in real-time

Increased SOC monitoring scope to include Azure AD environment protection, with an ability to detect anomalous logins and unconfirmed privileged actions.

About the client


New Jersey, USA


Marketing insurance and financial services products

Company Size:


Annual Turnover:


Technologies and Tools:

AWS (CloudTrail, EC2, RDS, VPCFlow, WAF)
Web Servers

Automated Rules Enabled:



100% Cloud

Internal IT Security Team:

1 person

Covered Endpoints:

0 (not in the monitoring scope)
Multiple Production Servers

Key Results


Of production servers protected 24/7

Less than 30 min

Response to the client’s request

The Solution

Let’s break down the incident timeline and our response:
  1. Phishing attack and unauthorized access: Threat actors successfully phished the CEO’s Azure AD account, taking advantage of the absence of multi-factor authentication (MFA). They then initiated a stealthy review of corporate emails, setting the stage for their malicious activities.

  2. Stealthy manipulation and fraudulent invoices: The threat actors patiently waited for the invoicing period, where they covertly altered multiple legitimate invoices, redirecting payments to their bank account. They impersonated the accountant’s Azure AD account to cover their tracks, sending additional invoice approval confirmations.
  3. Internal investigation and DFIR engagement: Suspicion among invoice recipients sparked an internal investigation, which quickly escalated to involve the UnderDefense DFIR team. We quickly investigated the activity, removing the malicious inbox rule and evicting the attackers from the CEO’s account.
  4. Forensic examination and remediation: Our DFIR team conducted a thorough forensic examination, onboarding users’ devices and Azure AD audit logs into our forensics solution. This allowed us to confirm the origin of the threat and assess potential breaches of other identities or assets. Additionally, we enforced stronger security measures for affected and privileged accounts and recommended multiple Azure AD improvements to bolster defenses.
  5. Improved preparedness and reduced risks:Thanks to our rapid response and comprehensive remediation efforts, the client emerged better prepared to handle similar incidents. By addressing Azure AD security configuration flaws and increasing the scope of SOC monitoring to include Azure AD environment protection, we significantly reduced the risks of Azure AD account compromise moving forward.


Following the proactive measures implemented by our team at UnderDefense, the client now operates with enhanced security measures and a more robust incident response framework in place.

Fortified Azure AD security

By implementing robust Azure AD conditional access policies and universal multi-factor authentication (MFA), the client now boasts a formidable defense against unauthorized access attempts. This ensures that sensitive data remains protected, bolstering stakeholder trust and safeguarding the organization’s reputation.

Rapid Incident Response

With an expanded scope of SOC monitoring, the client can quickly detect and respond to potential threats, minimizing downtime and operational disruptions. This proactive approach mitigates financial losses associated with breaches and preserves customer trust and loyalty, underscoring the organization’s commitment to security excellence.

Empowered workforce

Through comprehensive security awareness training, employees are equipped with the knowledge and skills to effectively recognize and report security threats. This fosters a culture of security consciousness across the organization, empowering employees to contribute to the organization’s cybersecurity efforts actively and reducing the risk of successful cyber attacks.

Take control of your business security, before hackers do.