SC-009: Cloud Account Takeover → Data Exfiltration¶
Scenario Header
Type: Cloud | Difficulty: ★★★★☆ | Duration: 2–3 hours | Participants: 4–8
Threat Actor: eCrime group — financially motivated, UNC4135-style Business Email Compromise + cloud pivot
Primary ATT&CK Techniques: T1566.002 · T1528 · T1114.003 · T1530 · T1537 · T1567.002 · T1070.003
Threat Actor Profile¶
COBALT INVOICE is a financially motivated eCrime group operating since 2021, specializing in Business Email Compromise (BEC) fraud escalated through cloud tenant compromise. Unlike traditional BEC actors, COBALT INVOICE weaponizes stolen O365 session cookies to bypass MFA, then pivots to cloud infrastructure found in corporate SharePoint — dramatically amplifying the financial and data-loss impact of each intrusion.
The group targets mid-market enterprises ($100M–$2B revenue) in finance, professional services, and manufacturing, where wire transfer authority exists but security controls lag larger enterprises. Their average intrusion-to-fraud timeline is under 72 hours. Known use of residential proxy networks and commercial AiTM phishing kits (EvilProxy variants).
Motivation: Financial — wire fraud ($500K–$5M per incident), data theft for secondary extortion, cryptocurrency laundering.
Scenario Narrative¶
Phase 1 — Initial Access via AiTM Phishing (~20 min)¶
COBALT INVOICE sends a targeted spearphishing email to Sarah Chen, Finance Manager, impersonating a DocuSign notification for a pending vendor contract. The link routes through an Adversary-in-the-Middle (AiTM) reverse proxy (docusign-review[.]sharepoint-auth[.]com, registered 4 days prior). Sarah enters her O365 credentials; the proxy forwards them in real time to Microsoft, captures the resulting session cookie, and relays the authenticated response back to Sarah — who sees a normal SharePoint document. No MFA prompt fires because the cookie represents an already-authenticated session.
Within 6 minutes, the attacker logs in from a residential proxy exit node in Amsterdam using Sarah's stolen session cookie.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Entra ID Sign-in Log | 2026-03-15T02:47:33Z — schen@contoso.com — Source IP: 185.234.218.47 (NL, ProxyRack residential) — UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/121 — MFA: Not required (token replay) — Risk: High |
| Email Gateway | Inbound SMTP from docusign@docusign-review[.]sharepoint-auth[.]com — SPF: FAIL, DMARC: FAIL — Subject: "Action Required: Vendor Contract Signature" |
| Microsoft Defender for O365 | Alert: "Suspicious inbox activity from anomalous location" — Severity: Medium — Suppressed by L1 analyst (false positive assumption) |
| Entra ID Audit Log | Session token issued to schen@contoso.com — Token age: inherited from stolen cookie (issued 8h earlier) |
Phase 1 — Discussion Inject
Technical: The Entra ID sign-in log shows MFA: Not required. What specific AiTM mechanism explains this? What Microsoft Entra ID feature, if enabled, would have detected or blocked this cookie replay attack?
Decision: A Microsoft Defender for O365 alert fired at 02:49 UTC but was closed by an L1 analyst as a false positive. Your L1 team closes ~200 similar alerts per week. What process change would prevent this outcome without creating alert fatigue?
Expected Analyst Actions: - [ ] Identify the source IP as a residential proxy (use VirusTotal, Shodan, or IPQS) - [ ] Pull the full Entra ID sign-in history for schen@contoso.com — look for impossible travel or device anomalies - [ ] Check Conditional Access policies — was the login from an unmanaged device permitted? - [ ] Correlate with email gateway to find the phishing email and extract the AiTM domain
Phase 2 — OAuth Persistence & Mail Collection (~30 min)¶
With active session access, the attacker registers a new OAuth 2.0 application named "Analytics Helper Pro" in Contoso's Entra ID tenant using Sarah's credentials. The app is granted Mail.Read, Files.Read.All, and offline_access permissions (no admin consent required for these scopes under the existing tenant policy). This grants persistent token-based access that survives a password reset.
The attacker creates an Outlook inbox rule: forward all email containing keywords invoice, wire, payment, transfer, bank to analytics-helper@protonmail.com. Over the next 6 hours, 847 emails are forwarded — including pending wire transfer approvals, vendor banking details, and an upcoming $2.3M accounts payable batch.
The attacker also accesses SharePoint, searching for finance documents, and downloads 14 files totalling 380MB — including the corporate org chart, CFO's email signature, and Q1 payment schedule.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| M365 Unified Audit Log | AppInstalled — App: Analytics Helper Pro — AppId: a7f3c2e1-... — User: schen@contoso.com — 2026-03-15T02:53:11Z |
| M365 Unified Audit Log | New-InboxRule — Rule: "FWD-Analytics" — Conditions: SubjectContains invoice,wire,payment — ForwardTo: analytics-helper@protonmail.com — 02:54:08Z |
| M365 Unified Audit Log | MailItemsAccessed — Folder: Inbox — Count: 847 items — Operation via OAuth token (AppId matches Analytics Helper Pro) |
| SharePoint Audit Log | FileDownloaded — User: schen@contoso.com — Files: Q1_AP_Schedule.xlsx, Vendor_Banking_Details.xlsx, Org_Chart_2026.pdf — Source IP: 185.234.218.47 |
Phase 2 — Discussion Inject
Technical: The OAuth app Analytics Helper Pro uses offline_access scope. Why does this make a password reset insufficient for containment? What are the two steps required to fully revoke OAuth-based access?
Decision: You've confirmed malicious OAuth app registration and mail forwarding. You can (A) immediately revoke all of Sarah's tokens and disable the OAuth app — but this will alert the attacker and may trigger immediate escalation, or (B) monitor for 2 hours to gather full IOC list — but 847 emails have already been forwarded. Which do you choose, and what is your legal/privacy obligation regarding the forwarded emails?
Expected Analyst Actions: - [ ] Enumerate all OAuth apps registered via Sarah's session using Graph API (GET /applications?$filter=...) - [ ] Revoke all active refresh tokens for schen@contoso.com via Entra ID (Revoke-AzureADUserAllRefreshToken) - [ ] Delete the malicious OAuth application registration - [ ] Delete the inbox forwarding rule via Exchange Online PowerShell - [ ] Preserve the email forwarding rule config as evidence before deletion - [ ] Begin eDiscovery hold on Sarah's mailbox
Phase 3 — AWS Pivot via Exposed Credentials (~40 min)¶
Among the SharePoint downloads, the attacker finds dev-setup-notes.docx uploaded by a developer, containing AWS IAM credentials for a service account: AKIA... (Access Key ID) and the secret — stored in plain text. These credentials belong to the app-deploy IAM user with PowerUserAccess policy.
The attacker calls the AWS EC2 Instance Metadata Service (IMDS v1) endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) from a compromised EC2 instance, retrieves a temporary role credential with broader permissions, and uses it to list all S3 buckets. One bucket, contoso-customer-data-prod, contains 847GB of customer PII. The attacker uses aws s3 sync to exfiltrate 100GB to an attacker-controlled S3 bucket in a different region (us-east-1 → eu-west-3).
Total exfiltration time: 22 minutes. CloudTrail logged all API calls but no alert fired — the app-deploy user legitimately calls S3 regularly.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| CloudTrail | AssumeRole — Principal: app-deploy — Role: arn:aws:iam::123456789012:role/prod-ec2-role — Source IP: 185.234.218.47 — 2026-03-15T05:12:44Z |
| CloudTrail | ListBuckets × 1, GetObject × 13,847 — Bucket: contoso-customer-data-prod — Duration: 22 min |
| CloudTrail | CreateBucket in eu-west-3 — BucketName: analytics-cache-eu-4821 — Account: 847291038847 (not Contoso) |
| S3 Server Access Log | 100GB transferred — Destination bucket in eu-west-3 — No VPC Flow Logs for cross-region S3 transfer (S3 gateway endpoint bypasses VPC) |
| GuardDuty | No alert — app-deploy user is trusted (high-volume legitimate baseline) |
Phase 3 — Discussion Inject
Technical: IMDSv1 is enabled on this EC2 instance, allowing any process (including the attacker) to query 169.254.169.254. What is IMDSv2, and how does it prevent this SSRF-based credential theft? How would you audit your AWS estate for IMDSv1 exposure at scale?
Decision: 100GB of customer PII has been exfiltrated. You must now assess notification obligations under GDPR (EU customers present), CCPA, and your cyber insurance policy. The legal team says notification will be public within 72 hours of discovery. Do you notify now, or first complete your full forensic investigation to understand the exact scope? What's your 72-hour GDPR clock start time?
Expected Analyst Actions: - [ ] Immediately disable the app-deploy IAM access keys via aws iam update-access-key --status Inactive - [ ] Enable IMDSv2 enforcement across all EC2 instances (aws ec2 modify-instance-metadata-options) - [ ] Use CloudTrail Lake to scope exact objects accessed (SELECT * FROM ... WHERE eventName='GetObject') - [ ] Identify and delete the attacker's exfil bucket analytics-cache-eu-4821 - [ ] Invoke incident response retainer — this is now a reportable breach - [ ] Preserve all CloudTrail logs to S3 with Object Lock (prevent tampering)
Phase 4 — BEC Wire Fraud & Cleanup (~30 min)¶
Using the forwarded emails from Phase 2, the attacker now has full context on a pending $2.3M accounts payable wire transfer to Apex Engineering Ltd. The attacker composes an email from Sarah's compromised mailbox (via the OAuth app) to the CFO, Jake Morrison, impersonating the CFO's own approval workflow — "I'm out of office, please use the updated banking details for Apex." The email includes the real vendor name, correct invoice number, and a fraudulent bank account for an IBAN in Lithuania.
CFO Jake Morrison approves the transfer. Finance executes it at 09:14 UTC.
At 10:02 UTC, the real Apex Engineering calls to enquire about a missed payment. The fraud is discovered. The attacker has already deleted the inbox forwarding rule and revoked the OAuth app consent via Sarah's session — but forgot to clear the Entra ID audit log entry for the app registration.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Exchange Sent Items | Email from schen@contoso.com to jmorrison@contoso.com — Subject: "RE: Apex Engineering — Updated Banking" — Sent via OAuth app (not native client) — 2026-03-15T08:47Z |
| Wire Transfer Record | $2,312,450 USD — Beneficiary: "Apex Engineering Ltd" (fraudulent IBAN LT24...) — Authorized by: J. Morrison — 09:14 UTC |
| M365 Unified Audit Log | Remove-InboxRule — Rule: "FWD-Analytics" — User: schen@contoso.com — 2026-03-15T09:58Z |
| M365 Unified Audit Log | AppRemoved — App: Analytics Helper Pro — 2026-03-15T09:59Z |
| Entra ID Audit Log | Add application entry still present — OAuth app registration not deletable via user session (requires Admin) |
Phase 4 — Discussion Inject
Technical: The attacker sent the BEC email via the OAuth app rather than the native Outlook client. How does this appear in MessageTrace vs. MailItemsAccessed audit logs, and how would you forensically distinguish a legitimate email from one sent via OAuth app?
Decision: The $2.3M wire has been sent. Your bank's fraud team says recalls are possible within 24 hours with a 40% success rate. You must simultaneously: (1) attempt wire recall, (2) notify FBI IC3, (3) notify affected customers (GDPR/CCPA), (4) contain remaining attacker access, (5) manage executive communications. Assign priority order and assign responsible parties from your team.
Expected Analyst Actions: - [ ] Immediately contact bank to initiate wire recall — every minute matters - [ ] Notify FBI IC3 (ic3.gov) — financial fraud with international IBAN component - [ ] Complete full OAuth app audit across tenant — look for other malicious apps - [ ] Reset credentials for all finance users who received the BEC email - [ ] Engage cyber insurance carrier within policy notification window - [ ] Prepare executive briefing and board notification
Detection Opportunities¶
| Phase | Technique | ATT&CK | Detection Method | Difficulty |
|---|---|---|---|---|
| 1 | AiTM cookie theft | T1566.002 | Entra ID — impossible travel + high-risk sign-in alert | Medium |
| 1 | Residential proxy IP | T1090 | IP reputation enrichment on sign-in logs | Easy |
| 2 | OAuth app registration | T1528 | Entra ID audit: AppInstalled by non-admin | Easy |
| 2 | Mail forwarding rule | T1114.003 | Exchange audit: New-InboxRule with external forward | Easy |
| 3 | IMDSv1 SSRF | T1552.005 | VPC Flow Logs: internal 169.254.169.254 access | Hard |
| 3 | Mass S3 GetObject | T1530 | GuardDuty: UnauthorizedAccess:S3/MaliciousIPCaller | Medium |
| 3 | Cross-region S3 transfer | T1537 | CloudTrail: CreateBucket in unexpected region | Medium |
| 4 | OAuth-sent email | T1114 | MessageTrace: ClientType=REST vs Outlook | Hard |
Key Discussion Questions¶
- Your Conditional Access policy allows unmanaged personal devices to access O365 with MFA. How does AiTM bypass this, and what policy change closes the gap?
- The developer stored AWS credentials in SharePoint. What secrets management solution would prevent this, and how would you audit for existing exposed secrets in your M365 tenant?
- 847 emails were forwarded before the rule was discovered. Under GDPR Article 33, when did your 72-hour notification clock start?
- The wire transfer was approved by the CFO based on a single email. What dual-control or out-of-band verification process would have prevented this?
- GuardDuty did not alert on the mass S3 download because
app-deployhad a trusted baseline. What detective control would you add to catch anomalous-volume access from trusted identities?
Debrief Guide¶
What Went Well¶
- Entra ID captured the anomalous sign-in — the data was there; the gap was triage prioritization
- CloudTrail preserved complete API activity — forensic reconstruction was possible
Key Learning Points¶
- AiTM bypasses MFA — Entra ID's token-binding and Conditional Access device compliance requirements are the countermeasure, not MFA alone
- OAuth apps survive password resets — incident response checklists must explicitly include OAuth app audit and token revocation
- IMDSv1 is a known-dangerous default — every AWS account should audit for this proactively
- BEC is the most expensive cyber crime category — wire fraud is enabled by email access, not technical sophistication
Recommended Follow-Up¶
- [ ] Enable Microsoft Entra ID Identity Protection — block High-risk sign-ins automatically
- [ ] Deploy Conditional Access: require compliant/managed devices for all O365 access
- [ ] Implement tenant-wide OAuth app consent policy: require admin approval for all third-party apps
- [ ] Enforce IMDSv2 across all EC2 instances via SCP or AWS Config rule
- [ ] Implement wire transfer dual-control: all transfers >$50K require phone verification to registered number
- [ ] Deploy DLP policy to flag AWS credential patterns in SharePoint/OneDrive uploads
- [ ] Run purple team exercise simulating AiTM phishing against your tenant