Search

When “Just a Password” Wasn’t Enough: How a Legacy Authenticator Opened the Door to O365 Compromise

Robert Sterio SOC Analyst Redsquid
Robert Sterio
SOC Analyst, Redsquid

Customer Environment: High Level

The customer, a large UK-based enterprise, runs a Microsoft 365-centric environment with hundreds of user accounts, standard endpoint protections, and a blend of in-house and managed IT support. Multi-factor authentication (MFA) is enforced as a frontline defence, but, like many organisations, legacy authentication protocols remain enabled for operational compatibility. The environment is monitored by Redsquid’s SOC, leveraging Microsoft Defender, Darktrace, and custom detection rules.

What Stood Out: The First Signal

The investigation began with a familiar but easily overlooked signal: repeated failed logins/MFA attempts on a single O365 user account, originating from a shifting array of geolocations and IP addresses. Brute-force attempts are common, but this pattern was different, with persistence, automation, and relentlessness, with multiple VPNs and ASNs in play. The target? A generic contact centre user, not a high-profile account. Precisely the kind of “low-value” identity that often slips under the radar.

Minute-by-Minute: From Alert to Containment

The first alert, surfaced by Defender and flagged in ASPECT, showed a successful password authentication from a suspicious IP, immediately followed by failed MFA attempts. This was a key signal. It confirmed that the attacker already had a valid username and password but was being blocked at the MFA stage.

The analyst recognised this as more than just background noise. Rather than random guessing, this indicated a credential‑based attack in progress, where the attacker was actively testing ways to bypass MFA.

Over several days, the attacker rotated IPs and VPN endpoints, signalling automation and a determined adversary. The activity was raised to the customer with clear guidance to secure the account, including resetting credentials and restricting access. The SOC continued to monitor closely, escalating the case from a medium to a high‑priority threat as the attacker’s persistence and sophistication became clear.

Incident Progression

How the Incident Unfolded

The attacker’s initial foothold was a compromised password, likely sourced from a public credential dump or reused from another breach. Automation was used to test the credentials from multiple locations, but MFA consistently blocked access. The attacker’s behaviour was methodical, likely using VPS infrastructure to rotate IPs and evade simple geo-blocking.

How the Threat Established Itself

The turning point came when the attacker exploited a legacy Windows authentication protocol still enabled in the environment. This protocol, designed for backward compatibility, allowed the attacker to bypass MFA entirely using a specific user agent string. At 3 a.m. on a Saturday, the attacker successfully authenticated, triggering a custom Darktrace alert for multiple module hits on a single account.

While this activity may appear as isolated alerts, it followed a clear and recognisable pattern—from initial credential use through to MFA bypass and post-login behaviour.

Screenshot: Typical MFA bypass attack flow, from credential use through to behavioural detection and containment.

What the Team Observed Next

Within minutes of gaining access, the attacker exfiltrated the SMTP username and password, sending them to a personal Gmail account. This rapid, targeted action suggested a clear understanding of both the environment and the value of email credentials for further exploitation or phishing. The attacker’s connection was short-lived, as the compromised account was locked by the SOC and the customer IT team during the process to contain the breach.

What We Did: Human-Led Response

Cyberseer’s SOC analysts immediately escalated the incident, contacting the customer’s out-of-hours team and advising urgent action to disable the account and reset the password. Despite initial delays, the analyst persisted, coordinating with the customer’s IT team to ensure the account was finally locked, and access was fully revoked. A full investigation was carried out to assess for lateral movement and wider compromise, with no further malicious activity identified.

Why This Was a High-Priority Threat

This incident is a textbook example of how a “low-value” account can become a high-impact entry point. The attacker’s use of automation, VPNs, and a legacy authentication bypass demonstrated both technical skill and determination. The exfiltration of SMTP credentials could have enabled further phishing, data loss, or lateral movement. Risks that were only mitigated through timely human intervention. The case also highlighted the danger of relying solely on MFA without addressing legacy protocol exposure.

Defender-relevant Behaviours Observed

The following behaviours were observed during the incident and are representative of activity that Microsoft Defender and similar tools can detect when properly configured:

  • Persistent, automated login attempts from rotating IPs and VPNs
  • Successful password authentication followed by repeated MFA failures
  • Exploitation of legacy Windows authentication to bypass MFA
  • Rapid exfiltration of email credentials upon successful access
  • Manual, targeted actions post-authentication, indicating a skilled adversary

Lessons Learned & Hardening Guidance

For security leaders, this incident highlights several critical takeaways that should directly inform identity security and response strategies:

  • Legacy authentication is a liability: 
    Even with MFA, legacy protocols can provide a backdoor for attackers. Disable them wherever possible.
  • Low-privilege accounts are not low risk: 
    Attackers frequently compromise low-privilege or overlooked accounts to gain an initial foothold.
  • Credential hygiene matters: 
    Password reuse and exposure in public dumps remain a top risk. Enforce strong, unique passwords and monitor for leaked credentials.
  • Human judgement is irreplaceable: 
    Automated alerts flagged the activity, but it was analyst intuition and persistence that drove escalation and containment.
  • Remediation must be timely: 
    Delays in disabling compromised accounts can turn a containable incident into a breach.

In Summary

Incidents like this show that even the best technical controls can be undermined by overlooked legacy settings and slow response. Redsquid’s SOC combines advanced detection with relentless human analysis to catch what others miss and to act before attackers can escalate. If you want to ensure your environment is resilient against both the obvious and the subtle, contact us to learn how our team can help you stay ahead of the next breach.