Recently, Magna Solutions was confronted with a security incident in which phishing emails were sent that appeared to originate from our own email accounts. These emails, sent without our permission, contained potentially malicious links and calls for unusual actions. The issue has now been resolved and we have taken measures to prevent recurrence. Here we share the full overview of the incident and the lessons learned.
What happened?
On March 6 around 2:27 PM an employee was the victim of a phishing attack. The email appeared to come from a trusted contact, who himself had already been compromised. The attack used a OAUTH flow with the scope OfficeHome.All, which stole a token and bypassed Multi-Factor Authentication (MFA). This gave the attacker access to our employee's mailbox and allowed him to abuse it to send more phishing emails.
Chronological overview:
- March 6, 2:27 PM: An employee receives a phishing email from a trusted but already hacked contact. By misusing an OAUTH token, MFA is bypassed and the attacker gains access to the mailbox.
- March 7, 09:50 AM: The attacker uses the stolen token to send phishing emails to all of the employee's contacts. The emails contain a link to a fake Microsoft login page via Google Sites.
- March 7, 10:05 AM: Internal signals point to suspicious emails. We warn contacts via WhatsApp and other channels not to respond to the email.
- March 7, 10:43 AM: The fraudulent Google Sites page is reported and taken offline by Google a few hours later.
- March 7, 10:55 AM: Analysis of suspicious login attempts shows activity from Chicago IP addresses (64.64.116.x). Investigation of the phishing page confirms the method of compromise.
- March 7, 1:30 PM: All active sessions of the compromised user are revoked. It is determined that automatic mail rules were set to archive received and sent emails, but fortunately no persistence mechanisms (such as rogue MFA devices) were found.
- March 7, 2:43 PM: We draw up an internal report and inform all parties involved.
- March 8: Attempt to inform the Dutch Data Protection Authority, which is delayed by one day due to maintenance on their website.
How do you recognize a suspicious email?
Although phishing emails may appear to come from a trusted Magna Solutions address, there are often telltale signs:
✔️ Unexpected or unusual requests
✔️ Attachments or links without clear explanation
✔️ Language use that deviates from our normal communication
✔️ Links leading to unknown or suspicious domains
What can you do?
– Do not open suspicious attachments or links
– Please check the contents of the message carefully
– Do you have any doubts about the authenticity? Please contact us using the known contact details
Our experience: “Who falls for phishing? Oh, right…”
Last week we were in the middle of contract negotiations with a client. Documents were being sent back and forth, until suddenly an email arrived. Everything seemed to be right: the logo, the client’s signature—even the language.
And yet… we almost clicked.
Fortunately, a colleague sensed that something was wrong:
First check: hover the link – Microsoft Secure Portal? No, Google Sites.
Second check: the text – “Urgent action required.” Classic social engineering.
A quick check with the customer via Signal confirmed it: his account had been hacked. Everyone in his address book had received the same email.
The Surprising Hero: ChatGPT
For fun, we threw the raw email into ChatGPT. The AI recognized the phishing attempt directly, even before Microsoft or SpamAssassin did.
Suspicious link: The email asks to “verify” a document through the Microsoft Secure Portal, but leads to a Google Sites URL.
Urgency & social engineering: Words like “securely shared” and “quick review” are meant to create urgency.
Sender mismatch: The email appears to come from someone you know, but it may be spoofed.
Vague content: No explanation of the document—a classic warning sign.
Unusual attachments and embedded images: Often a way to hide tracking pixels or hidden links.
Conclusion: It can happen to anyone
“Who falls for phishing?” Well, if you’re not paying attention: everyone.
This incident has not only made us more vigilant, but has also confirmed that transparency and prompt communication are essential. By learning from our mistakes and continuing to invest in security measures, we ensure that risks are kept to a minimum.
Stay alert, stay safe and let's make the internet a safer place together!
