2 posts tagged with "threat-intelligence"

You're staring at an EDR alert from 11:47 PM. A Word document spawned PowerShell. By the time your analyst acknowledges the ticket at 12:09 AM, the attacker already has a beacon calling home, has run BloodHound across your entire AD, dumped credentials from LSASS, and is authenticating to your domain controller with a Domain Admin hash. The "200-day dwell time" you quoted last quarter's board meeting is about to become a footnote. This intrusion will be over in four hours.

Category: Threat Intelligence · Reading time: 25 min · Audience: SOC Analysts, Detection Engineers, Incident Responders

Your user just completed MFA. They entered their authenticator code correctly. Microsoft accepted it. Your Conditional Access policy evaluated and passed. And the attacker sitting at a server in a different country just received a valid OAuth access token with 60-90 minutes of life, a refresh token valid for 90 days, and a path to your entire Microsoft 365 environment. No phishing page. No fake login form. No credential harvested. MFA was the mechanism the attacker used to authenticate on the victim's behalf. This is not a future threat. It has been actively exploited since at least mid-2024, and campaigns surged dramatically in late 2025.