Microsoft 365 Attack Response Client: Anonymous Sector: National Healthcare Provider Services: Managed IT Services, Cyber Security & Incident Response, Microsoft 365 Security & Support, IT Service Desk Location HQ: Multi-site Healthcare Services Organisation – Learn how Blue Saffron rapidly contained a sophisticated Microsoft 365 phishing attack for a UK healthcare organisation, protecting critical services, preventing data loss, and strengthening defences against modern MFA-bypass threats. Rapid Containment of a Sophisticated Phishing Attack Targeting Microsoft 365 Accounts The Client A UK-wide organisation operating in the healthcare sector. The organisation uses Microsoft 365 for communication, document sharing, and collaboration across multiple locations. Our Challenge In October 2025, the organisation was targeted by a coordinated phishing campaign that sent out highly convincing Microsoft SharePoint-style links. When one of these links was opened, the attacker’s reverse-proxy phishing platform captured the user’s login credentials and their active multi-factor authentication (MFA) session token. This adversary-in-the-middle (AiTM) method — still relatively uncommon in real-world attacks — effectively bypassed MFA, giving the attacker short-term access to a small number of Microsoft 365 mailboxes and shared files before the threat was detected and contained. Why this wasn’t stopped earlier: Although robust MFA and monitoring controls were already in place, the attacker used an advanced proxy-based technique that intercepted live authentication tokens in real time. Because this AiTM method exploits trusted browser sessions rather than stealing passwords directly, it can evade standard defences. For that reason, the incident required targeted forensic analysis and rapid containment rather than being automatically blocked by existing safeguards. OUR RESPONSE Blue Saffron’s Incident Response Team mobilised immediately on detection. Working alongside the client’s IT and account-management teams, the response focused on fast, visible containment and clear communication. Key containment and remediation actions: Reviewed Azure AD sign-in logs and Microsoft Defender telemetry to trace attacker activity. Performed a PowerShell-based mailbox purge to remove malicious emails tenant-wide. Revoked active sessions, enforced password and MFA resets for impacted users, and blocked the suspicious proxy IPs. Conducted forensic checks of accessed files and mailboxes and confirmed there was no evidence of data deletion or exfiltration. Following the investigation, both teams updated playbooks and controls to detect and contain token-theft attacks faster in future incidents. TEAMWORK & COORDINATION The response was coordinated across the Service Desk, Account Management, and the client’s internal IT team using clear escalation paths and continuous updates. Triage efforts and second-line support were critical to isolating affected accounts quickly while keeping business services running smoothly. RESULTS All affected accounts remediated within 24 hours of detection. All compromised sessions revoked and reauthenticated. No evidence of data loss or deletion. Business operations restored the following business day. Client feedback highlighted appreciation for the speed, transparency, and calm professionalism of the response. POST-INCIDENT IMPROVEMENTS Area Action / Recommendation Incident Response Playbook updated with explicit token-theft and MFA-bypass steps; faster escalation for suspected AiTM events. User Awareness Targeted refresher training on modern phishing tactics and credential hygiene. Conditional Access Tighter device-compliance, geographic restrictions, and reduced session lifetimes. Defender for Office 365 Hardened anti-phishing and Safe Links policies to catch known proxy domains. Session Security Implemented Continuous Access Evaluation (CAE) to shorten token validity and revoke stolen tokens sooner. Monitoring & Detection Extended telemetry via Microsoft 365 Defender and Cloud App Security to flag abnormal token reuse and anomalous sign-ins. OUTCOME The swift, coordinated response prevented operational downtime and protected the organisation’s services. The investigation confirmed no patient or clinical data was compromised, and the organisation now benefits from stronger security controls, clearer playbooks, and improved user awareness to defend against future token-based phishing threats. CLIENT FEEDBACK “Blue Saffron’s response was fast, calm and reassuring. The team removed the malicious emails, guided us through re-securing accounts, and helped us put stronger protections in place.“ Client representative | Healthcare Sector Further Information All Case Studies More about IT and the Recruitment Sector More about our IT Service Desk Managed Service What I like about Blue Saffron is that they offer fair challenge. It isn’t a partner that comes in and tells you everything is fine. They are about offering suggestions based on best practice around how things can be improved. Hetal Panchal | Chief Financial Officer | Empowering Learning A quick reminder of what we do Blue Saffron is not your average, award-winning provider of communications and technology. We have worked hard to earn a 98% customer satisfaction rating. This is based on our belief that it’s your business needs which must lead our solutions and delivery. Our passionate and professional team has worked together for more than a decade to make sure we are one of London’s most progressive, independent suppliers. Our name is built on reliability, efficiency and making our customers lives easier. Whether you are looking for fixed or mobile telecoms, internet access, or services such as data backup, security, email, or desktop and server management, we can help. We can supply all your technology services or happily fill gaps which can optimise your business functions. We package, price and bill our services clearly and directly, with a commitment to intelligent customer service. Our independence means we are free to leverage our stable of world-class suppliers and partners to perfectly meet your needs.