Using Telemetry to Extend Detection in a Phishing Case

The SamurAI MDR Team reported a phishing incident in late November 2025 where a user was tricked into authenticating towards an adversary-in-the-middle phishing page which intercepted the user's Office365 session keys.

The incident was well covered by Microsoft Defender which triggered alerts such as: Password Spray Risky sign-in after clicking a possible AiTM phishing URL Unfamiliar sign-in properties.

However, the SamurAI MDR analyst observed that the threat actor authenticated from an IP which was an Azure Virtual Machine, which we could use as a pivot point to further map the threat actor's activity with the use of additional telemetry sources.

The flow of events can be seen in the following image:

As can be seen, a potential hacker origin was located to a Nigerian ISP. These IPs in turn were used to manage additional Azure Virtual Machines.

SamurAI MDR analysts have added the identified malicious Azure Virtual Machine IPs to our Threat Intelligence feed. This means that the entries will generate alerts if activity is observed from them within ingested client logs.

Malicious Indicators:

20.78.32[.]88

20.98.136[.]136

20.118.36[.]188

20.118.211[.]175

20.118.243[.]31

20.186.232[.]112