Industry: Energy
Location: Southeast Asia
Engagement: Forensic Investigation & PDPA Compliance Advisory
The Challenge
A leading energy company contacted SafeComs after detecting unusual sign-ins within its Microsoft 365 environment. Two employee accounts, one with administrative privileges had been compromised, leading to concerns about unauthorized access and possible data leakage.
The company needed immediate forensic assistance to identify the source of the breach, assess the impact, and ensure compliance with Thailand’s Personal Data Protection Act (PDPA).
The Investigation
SafeComs’ forensic team quickly launched a full investigation using advanced analysis tools and verified forensic procedures.
Our experts discovered that the organization had been targeted by an Adversary-in-the-Middle (AiTM) phishing campaign designed to steal credentials and bypass traditional MFA protections.
The phishing email, disguised as a legitimate Zoom document invitation, redirected victims through trusted online platforms before reaching a fake Microsoft login page. Once the victims entered their credentials and MFA codes, the attackers gained full access to their Microsoft 365 sessions in real time.
Within hours of investigation, SafeComs:
- Identified the malicious domains and IPs used in the attack, reported and blacklisted them
- Traced the timeline of the intrusion and verified that no sensitive data was exfiltrated
- Removed unauthorized guest accounts and reset all affected credentials
- Implemented new conditional-access and MFA protection measures
The Results
The investigation confirmed that no personal or client data had been stolen, and the incident was contained swiftly without operational disruption.
SafeComs also guided the client through a PDPA risk assessment, ensuring the company’s legal team had the necessary documentation to demonstrate compliance and due diligence without triggering unnecessary regulatory reporting.
Our Impact
✔ Rapid forensic response and incident containment
✔ Clear visibility into how the attack occurred and what was affected
✔ Strengthened authentication and email security policies
✔ Full PDPA compliance through a documented internal risk assessment
Key Takeaways
- Even trusted platforms like Zoom and Amazon S3 can be weaponized in modern phishing attacks.
- Traditional MFA is no longer enough. Organizations need phishing-resistant MFA such as FIDO2 or hardware keys.
- A documented PDPA risk assessment protects organizations from legal uncertainty and shows accountability.
- Maintaining a documented breach-assessment process reduces regulatory exposure and demonstrates accountability.
Contact us for more information at 02 105 4520 or [email protected]
