Incident Response Case Study

Thwarting a Global OAuth Phishing Campaign Against a Behavioral Health Organization

A sophisticated phishing-as-a-service attack ran undetected for 86 days. Xpio's Delphi Cyber team contained it in 10 — with zero PHI exposure, zero ransom, and zero service downtime.

Days dwell time: 86
Days to contain: 10
PHI exposed: 0
Ransom paid: $0

The Attack

A global phishing campaign hit a behavioral health nonprofit.

The organization was targeted as part of a global phishing-as-a-service campaign that affected 900+ organizations worldwide. The attackers used sophisticated OAuth application abuse to bypass multi-factor authentication and maintain persistent access through malicious service principals, a technique that survives password resets and MFA enrollment.

The attack ran for 86 days before suspicious activity was reported internally. By that point, the attackers had compromised a significant percentage of the organization's user accounts, deployed 13+ malicious OAuth applications, and scanned over 127,000 items across the Microsoft 365 tenant.

When MFA was enabled tenant-wide on day 83, the attackers adapted within 24 hours, pivoting to token replay attacks that bypassed the new MFA controls. This is not a commodity attack. This is an organized, persistent, adaptive threat operation.

Timeline

86 days of attack. 10 days of response.

Day 0attack

Initial phishing campaign begins

Day 23attack

Employee credentials compromised via phishing

Day 32attack

Phishing-as-a-Service kit deployed, MFA bypass active

Day 45attack

Mass reconnaissance, 127K+ items scanned

Day 61attack

Peak malicious activity, maximum infiltration

Day 78detect

Suspicious activity reported internally

Day 80respond

Xpio Cyber engaged, investigation begins

Day 81respond

Security incident confirmed

Day 82respond

Emergency tenant shutdown, all sessions terminated

Day 83respond

MFA enforced tenant-wide for all users

Day 84respond

Token replay attacks detected and blocked post-MFA

Day 86contain

Full containment achieved

The Response

What Xpio did in 10 days.

Emergency Tenant Shutdown

Within 48 hours of engagement, Xpio executed a full emergency shutdown, terminating all active sessions, revoking compromised tokens, and blocking malicious IP ranges across the tenant.

Forensic Investigation

Analyzed millions of audit log records using advanced threat hunting tools. Traced the full attack chain from initial phishing through OAuth abuse, identifying every compromised account and malicious service principal.

Malicious Infrastructure Removal

Identified and removed 13+ malicious OAuth applications and 12+ rogue service principals planted by the attackers. Blocked all associated IP addresses and attack signatures.

Hardening & Remediation

Enforced MFA tenant-wide, locked OAuth app registration to admin-only, blocked foreign IP access, enabled continuous service principal monitoring. Transformed the security posture from reactive to proactive.

Legal & Compliance Coordination

Worked alongside legal counsel to deliver a court-admissible forensic report. Completed all required breach notifications on time. No regulatory penalties. No PHI exposure confirmed through forensic analysis.

67-Page DFIR Report

Delivered a comprehensive digital forensics and incident response report covering attack timeline, indicators of compromise, risk assessment, business impact, remediation actions, and a post-incident security roadmap.

Outcomes

What mattered.

100% client service uptime maintained throughout incident

Zero PHI exposure confirmed through forensic analysis

Zero ransom demanded or paid, no ransomware deployed

All regulatory notifications completed on time

0.1% actual data exfiltration rate (vs. 127K+ items scanned)

Full containment in 10 days from engagement

No regulatory penalties incurred

IOCs shared with federal authorities for sector-wide defense

Lessons

What this means for your organization.

MFA is necessary but not sufficient

The attackers adapted within 24 hours of MFA being enabled — pivoting from credential theft to token replay attacks. MFA alone does not stop a determined adversary. You need OAuth app governance, service principal monitoring, conditional access policies, and continuous threat detection.

The policy that saved everything

The organization had a policy of keeping protected health information out of their Microsoft 365 tenant. That single decision prevented what could have been a catastrophic HIPAA breach. The attackers scanned 127,000+ items and found no PHI. Policy saved what technology could not.

Speed matters more than perfection

Emergency tenant shutdown on day 82 was a bold call, it disrupted administrative operations for 24-48 hours. But it stopped the bleeding. Client services ran at 100% throughout. The decision to act fast, accept short-term pain, and contain the threat is what separated this from a catastrophe.

Hope you never need us for this. But if you do, we're ready.

Incident response, digital forensics, and security hardening for healthcare organizations. When it matters most, you want a team that's done it before.

Talk to Our Security Team