How Bespoke Recently Stopped A Live Cyber Threat In Its Tracks

How Bespoke Recently Stopped A Live Cyber Threat In Its Tracks

By Ben Glass, CEO of Bespoke

In May 2025, a client of Bespoke experienced a suspicious login from Lagos, Nigeria. The login bypassed both password and MFA requirements using a stolen Microsoft 365 session token—a textbook case of token theft. But thanks to Bespoke’s rapid response and deep expertise, the threat was contained before it could escalate. In this article we will showcase a cyber threat in real time and how the experienced Bespoke cyber threat team caught the threat, isolated, mitigated and resolved it quickly and efficiently.

The Incident: A Silent Breach

A sign-in was observed on May 14, 2025, from an unmanaged, non-compliant device located in Lagos. The attacker used a previously issued session token to access a single user’s Microsoft 365 email account. No password was entered. No MFA challenge was triggered. The token had not been bound to a trusted device, allowing the attacker to bypass all interactive authentication.

After a full forensic sweep across Microsoft Entra, 365, Nasuni, domain controllers, and RDS, Bespoke confirmed the breach was isolated to one account. There was no lateral movement, no access to sensitive systems, and no data loss.

The Root Cause: Token Theft Explained

Token theft is a growing threat in modern cloud environments. When users authenticate, Microsoft issues a session token that allows apps like Outlook or Teams to stay logged in. If an attacker steals that token—via phishing, malware, or session hijacking—they can impersonate the user without ever needing their password or triggering MFA.

These tokens can remain valid for days or weeks, and most security tools won’t flag their use as suspicious because the session appears “already approved.” This makes token theft both stealthy and dangerous.

 

The Response: Fast, Focused, and Forensic

Bespoke’s team didn’t just confirm the scope—they explained the “how” and “why” behind the attack. Token theft, they noted, is a growing threat that bypasses traditional defenses by hijacking session tokens. Even with MFA enabled, attackers can impersonate users if they gain access to these tokens.

The team also provided clear, actionable recommendations to the client’s leadership, including:

  • Upgrading to Microsoft Entra P2 licenses to enable token binding
  • Revisiting policies around personal device access
  • Implementing a lifecycle management plan for hardware and software upgrades

What’s Next: Proactive Defense with SaaS Alerts

To further strengthen defenses, Bespoke is rolling out a new SIEM solution with SaaS Alerts. This system will:

  • Block logins from unrecognized devices or locations—even if MFA succeeds
  • Trigger automatic MFA resets after suspicious activity
  • Send real-time alerts to both Bespoke and the client’s team

This solution goes live in June and represents a major leap forward in proactive threat detection.

Why It Matters: A Blueprint for Resilience

This incident wasn’t just a win for one client; it was a showcase of Bespoke’s commitment to protecting every organization they serve. Their ability to detect, diagnose, and defend against modern threats is what sets them apart.

Dont Wait—Start Planning Now with a Free Assessment

When it comes to cybersecurity, Bespoke doesn’t just respond—they lead. If you are unsure if your current cybersecurity posture can stop a cyber threat. Email us at [email protected] to boost your cyber resilience.

Scroll to Top