Neutralizing a Global Admin Takeover for a High-Profile US Organization

Benchmarked was called in after a sophisticated threat actor compromised the highest-privilege account in a Microsoft 365 environment – and had been operating undetected for over three weeks.

Global Admin Compromise: Full Tenant Takeover Prevented

Benchmarked conducted a full-scope incident response, forensic investigation, and security remediation after a credential-based attack compromised a Global Administrator account – giving the attacker unrestricted control over the entire Microsoft 365 tenant.

A 22-Day Silent Breach

THE SITUATION

A prominent US-based organization contacted Benchmarked after discovering that their Microsoft 365 environment had been compromised. What initially appeared to be a simple phishing incident turned out to be a sophisticated, multi-phase attack that had been active for over three weeks - entirely undetected.

The reality was far worse than anyone assumed:

A Global Administrator account had been compromised via a coordinated password spray campaign using 20+ globally distributed VPN exit nodes across 12 countries
The attacker had established persistent backdoor access through a malicious OAuth application with full Exchange Web Services permissions - meaning password resets alone would not remove them
Nearly 2,000 phishing emails had been sent from the compromised account in under 60 seconds, exploiting the trusted sender reputation of a legitimate administrator
The attacker conducted 130+ authentication events across administrative portals in a single 2.5-hour window, systematically mapping the environment
Both accounts in the environment held Global Administrator privileges - no separation of duties, no least-privilege controls, no conditional access policies
No MFA was enforced. No audit logging was enabled. No email security controls were in place.

The breach had been active for 22 days before it was identified.

Incident Response and Forensic Investigation

END-TO-END RESPONSE

Benchmarked deployed its incident response team within hours. The engagement spanned full forensic analysis, threat containment, eradication, and a post-incident security assessment — conducted in parallel, under pressure.

1: THREAT DETECTION & TIMELINE RECONSTRUCTION

Reconstructed the complete attack timeline from initial compromise (December 29, 2025) through mass exploitation (January 15, 2026)
Mapped all attacker activity across four distinct phases: credential compromise, reconnaissance, persistence establishment, and mass phishing
Identified the exact attack vector: a globally distributed password spray campaign with successful authentication from Toronto, Canada
Correlated login activity across 20+ unique IP addresses spanning 16 cities and 12 countries
Mapped attacker TTPs to the MITRE ATT&CK framework across 7 techniques

4: POST-INCIDENT SECURITY ASSESSMENT

Conducted a full environment scan using ConnectSecure vulnerability assessment tooling
Identified 16 critical vulnerabilities and 11 high-priority security gaps that directly contributed to the success of the attack
Key findings included: no MFA enforcement, no conditional access policies, disabled audit logging, missing DKIM/DMARC records, no email filtering rules, overly permissive Teams and Azure AD configurations
Delivered a prioritized remediation roadmap covering identity & access management, email security, application governance, and monitoring

5: REMEDIATION & HARDENING ROADMAP

Designed a phased remediation plan: immediate (threat removal + MFA), short-term (audit logging + email controls + admin role separation), and medium-term (XDR deployment + vulnerability management + security awareness training)
Recommended deployment of a layered security stack: SentinelOne for endpoint protection, Perception Point for email security, 24/7 SOC monitoring, and ConnectSecure for continuous vulnerability management
Established continuous monitoring requirements covering Azure AD sign-in logs, OAuth application registrations, email forwarding rules, and outbound email volumes

2: PERSISTENCE MECHANISM IDENTIFICATION

Discovered a malicious OAuth application ("PERFECTDATA SOFTWARE") created by the attacker to maintain access independent of password changes
Identified that the application had been granted Cloud Application Administrator privileges — enabling the attacker to create additional backdoors, modify credentials, and grant new permissions
Confirmed the OAuth app had full Exchange Web Services access, including the ability to read, write, and delete emails, modify forwarding rules, and impersonate users
Recognized the attack pattern as a documented threat vector first identified by Darktrace researchers — validating the forensic findings against known threat intelligence

3: CONTAINMENT & ERADICATION

Immediate credential resets and session terminations for all accounts
Full token revocation across both user accounts
Identification and documentation of the malicious OAuth application for removal
Verification that the secondary account showed no signs of compromise
Comprehensive IOC documentation: all malicious IPs, timestamps, and application identifiers catalogued for blocking and future monitoring

Incident Reponse Plan was created and implemented in less than 6 hours.

THE RESULTS

22-day undetected breach identified, contained, and documented within 24 hours of engagement
Complete forensic timeline reconstructed across 4 attack phases with full MITRE ATT&CK mapping
Malicious OAuth persistence mechanism identified — a backdoor that survived password resets — documented for immediate removal
2,009 phishing emails traced, source of compromise confirmed, and attack infrastructure mapped across 12 countries
16 critical vulnerabilities and 11 high-priority gaps identified and prioritized for remediation
Full remediation roadmap delivered — from immediate threat eradication to long-term security posture transformation
Organization transitioned from zero security controls to a defined path toward 24/7 monitored, layered defense