eye.security About the Product Partner Portal Customer Portal
Incident Response
← Return to overview

STORIES FROM THE SOC: Eye see you, Axios

Jul 15, 2025
Eye Security
By: Eye Security

At Eye Security, we actively seek out new threat actors and study their techniques, tactics and procedures. One significant threat to organisations is business email compromise (BEC). Threat actors use various BEC techniques to perform financial fraud, among other things.

Here is an example of one such alert that comes into our Security Operations Centre. Our custom Sentinel ruleset picks up details from the signin and triggers an alert while our in-house dashboard displays the most relevant details so that our analysts can quickly assess the situation.

In short:

  • The threat actor uses Adversary-in-the-Middle (AITM) phishing to gain access to a cloud identity, bypassing MFA
    Sentinel receives the signins and our custom rulesets are applied
    The rule yields an alert
  • Our expert SOC analysts triage the alert with priority and come to the following conclusion: 🚧 Very likely malicious, revoke sessions immediately!
  • After the session revoke, the threat actor loses access and is cut off from the cloud identity. Because our analysts respond within minutes, the damage is limited to a stolen password and a successful login. These are easily remedied by resetting the password.
Image showing a computer security alert labeled 'Normalized Alert Details' indicating a possible business email compromise with various highlighted elements such as 'Known bad User Agent', 'IP address from Phoenix, USA', and 'Known cloud application used in AITM phishing attacks'. Instructions for immediate response are noted at the bottom.

Related articles.