Back to Case Studies
Incident ResponseAccountingToken Theft

How Stealth Cyber Stopped a 109-Day Silent Attack on an Australian Accounting Firm

Industry: Accounting and professional services · Location: Australia · ~30 Microsoft 365 users

The short version

A mid-sized accounting firm in Queensland had been compromised for 109 days before Stealth Cyber was engaged. The attacker bypassed multi-factor authentication using a stolen session token, then quietly accessed mailboxes, SharePoint, and OneDrive across nine separate business entities managed under the same Microsoft 365 tenancy.

No ransomware was deployed. No obvious disruption occurred. The attacker was there to read, not to destroy. They accessed client tax returns, financial statements, bank details, and internal business correspondence. The breach was only discovered after unusual sign-in behaviour was flagged.

What happened

The firm used Microsoft 365 with MFA enabled. On the surface, everything looked correct. But the attacker had obtained a valid session token, likely through an adversary-in-the-middle phishing attack. This gave them authenticated access without ever needing to enter a password or complete an MFA challenge.

Once inside, the attacker created inbox rules to redirect specific emails, accessed shared mailboxes, and browsed files across SharePoint and OneDrive. The compromised account had broad permissions, which gave the attacker lateral visibility across multiple client entities.

Timeline:

  • Day 0: Session token stolen via suspected adversary-in-the-middle phishing attack.
  • Days 1 to 30: Attacker accessed primary mailbox and created forwarding rules. No alerts triggered.
  • Days 30 to 80: Access expanded to shared mailboxes and SharePoint sites across nine business entities.
  • Days 80 to 109: Continued access to OneDrive and email. Financial records, tax returns, and bank details were viewed.
  • Day 109: Unusual sign-in activity was identified. Stealth Cyber was engaged.

What Stealth Cyber did

  • Revoked all active sessions and forced re-authentication across the tenancy.
  • Conducted a full audit of Microsoft 365 sign-in logs, unified audit logs, and mailbox rule configurations.
  • Identified the scope of the breach, confirming which mailboxes, SharePoint sites, and OneDrive accounts were accessed.
  • Mapped the data exposure across all nine business entities, identifying the types of records accessed including tax file numbers, financial statements, and banking information.
  • Removed malicious inbox rules created by the attacker to intercept and redirect email.
  • Produced a formal incident report for the client, suitable for regulatory notification under the Notifiable Data Breaches scheme.
  • Delivered a remediation roadmap covering conditional access policies, token protection, privilege review, and ongoing monitoring.

Why MFA didn't stop it

MFA is an important control, but it is not a complete defence. In this case, the attacker never needed to bypass MFA directly. They stole a session token after the user had already authenticated. The token acted as a valid pass, giving the attacker the same level of access as the legitimate user.

This technique, known as token theft or session hijacking, is increasingly common. It is effective against organisations that rely on MFA alone without additional controls such as conditional access policies, token binding, or continuous session evaluation.

What made this case harder to catch

  • No malware was deployed. There was nothing for endpoint protection to detect.
  • No ransomware, no encryption, no disruption. The business continued operating normally.
  • The attacker used legitimate Microsoft 365 services. All access occurred through standard interfaces.
  • Inbox rules were subtle. Forwarding rules targeted specific senders rather than bulk forwarding, which made them harder to spot.
  • The compromised account had broad access. A single account gave the attacker visibility across nine business entities.

The outcome

The attacker's access was terminated within hours of Stealth Cyber's engagement. The full forensic investigation was completed within one week. The firm received a detailed incident report and a prioritised remediation plan. Regulatory notification requirements were assessed and documented.

Stealth Cyber subsequently deployed managed detection and response (MDR) monitoring across the tenancy to provide continuous visibility and rapid response capability.

What this means for your business

If your organisation uses Microsoft 365, this type of attack is relevant to you. Token theft does not require sophisticated tooling. It requires one successful phishing email and an environment that lacks post-authentication monitoring.

MFA is necessary, but it is not sufficient on its own. Without conditional access policies, session controls, and ongoing monitoring, a single compromised session can give an attacker months of silent access.

The question is not whether MFA is enabled. The question is what happens after authentication.

Protect Your Business

Stealth Cyber provides managed detection and response for Microsoft 365 environments. We monitor for token theft, compromised sessions, and lateral movement so you do not have to wait 109 days to find out.

Talk to Stealth Cyber about MDR for your business
Back to Case Studies