How These Breaches Actually Happen
It helps to follow a realistic path rather than a list of controls. A member of staff receives an email with a link - a shared document, a voicemail notification, a security alert. The link does not lead to a crude fake; it leads to a reverse proxy under the attacker's control that sits invisibly between the user and the genuine login page. The user sees the real sign-in screen, enters their password, and approves the multi-factor prompt - and it all works, because the proxy is relaying every step to the real provider in real time. What the proxy quietly keeps is the prize: the authenticated session token the provider issues after multi-factor succeeds. The attacker replays that token and is now logged in as the user, multi-factor already satisfied, without ever knowing or needing the password. This is an adversary-in-the-middle attack, and it is the single most important reason that "we have MFA" is no longer the end of the conversation: push prompts, SMS, and authenticator-app codes are all defeated by it, and only phishing-resistant methods such as FIDO2 and passkeys, which refuse to authenticate to the wrong domain, reliably are not. From that first session an attacker rarely stops. They grant a malicious application consent to read mail and files, quietly acquiring a refresh token that survives the eventual password reset; they hunt for the over-privileged role or the exposed cloud credential that turns one mailbox into the whole tenant. Our assessment is built around exactly these chains - and, if you wish, we can demonstrate the opening move directly through a Social Engineering Assessment.