The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish
In this article: The Bait: An Invoice That Looked Right The Hook: A Perfect Clone Behind the Curtain: What Actually Happened How the Phish Got So...
5 min read
The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap
Justin Kirsch : May 26, 2025 2:30:00 PM
The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap
3:59
In this article:
Third-party vendor breaches accounted for 30% of all data breaches in 2024, a 15% jump from the year before. Half of all organizations experienced a third-party cybersecurity incident last year. The SitusAMC breach in November 2025 proved the pattern: one compromised vendor exposed mortgage loan data tied to JPMorgan Chase, Citi, and Morgan Stanley.
In Part 2, Chad clicked a convincing phishing email and entered his credentials into a fake portal. But what NullGhost captured was far more valuable than a password.
This is Part 3 of a three-part series. Read Part 1: The Leak in the Shadows and Part 2: The Perfect Phish.
The Live Proxy: More Than Stolen Credentials
Chad's credentials were not just stolen. They were live-streamed.
When Chad clicked the link and entered his username and password, the phishing site did not store them for later use. It relayed every keystroke in real time to CYA Finance's actual login page.
- Chad typed his username. It passed through to the real system instantly.
- Chad entered his password. Sent straight through to authenticate.
- Chad received a real 2FA code. Typed it in. The hacker passed it along within seconds.
- Result: NullGhost authenticated at the same time as Chad.
The proxy page captured cookies, session tokens, and behavior patterns. When NullGhost accessed CYA Finance's systems later that night, they did not need to brute-force anything. To the firewall and the SSO provider, they were Chad.
Inside the Perimeter: Surgical Precision
NullGhost moved with deliberate restraint. No smash-and-grab. No immediate exfiltration.
They tested permissions. Probed weak points. Mapped internal systems. Indexed databases. Identified the assets that mattered: archived financial reports, vendor payment schedules, internal communications, unencrypted email backups.
Rather than pulling large files and triggering data loss prevention alerts, NullGhost copied small data segments and stored them in encrypted local caches. Extraction happened slowly, timed to blend with routine outbound traffic patterns.
They also created a hidden admin account with a name that mimicked a legitimate service account. This backdoor ensured persistent access even if Chad's credentials were revoked.
Session tokens made this possible. These unique digital keys authenticated Chad's session without requiring repeated password or MFA checks. NullGhost rode existing sessions, accessed systems during Chad's normal working hours, and mimicked his click patterns. Their behavior was indistinguishable from expected activity.
This was not a brute force breach. It was social engineering, session hijacking, and stealth operations combined into a single attack chain.
No Alarms, No Alerts
Chad logged in the next morning. Nothing appeared wrong. No password resets. No session lockouts. He was not even logged out.
Deep in the system logs, anomalies accumulated. Logins from unknown IP ranges. Elevated permission changes. Email forwarding rules created, then deleted. None of these individually triggered an alert.
Together, they painted a picture of quiet infiltration. But without behavioral analytics or anomaly correlation, each event looked routine.
This is the gap that kills. Roughly half of all mortgage firms do not regularly test their IT infrastructure for security weaknesses, according to 2025 industry research. That blind spot means a significant portion of the industry is not aware of its own vulnerabilities.
Protecting Your Digital Identity
Deploy phishing-resistant authentication. Proxy-based attacks defeat SMS codes and authenticator app tokens. FIDO2 security keys and passkeys bind authentication to the legitimate domain. If the domain does not match, the key will not respond. This stops AiTM attacks at the source.
Implement behavioral analytics. Identity protection tools detect impossible logins, such as a user authenticated from two geographic locations minutes apart. They flag when credentials are used in ways that deviate from established patterns, even when the login technically succeeds.
Monitor session tokens and email rules. Stolen session tokens are the skeleton key of modern attacks. Monitor for token replay, unusual session durations, and email forwarding rule changes. Microsoft Defender for Identity tracks lateral movement and privilege escalation within the Microsoft 365 environment.
Audit service accounts continuously. NullGhost created a hidden admin account that mimicked a legitimate service account name. Regular audits of all accounts, especially those with elevated privileges, catch these backdoors. Automated alerts on new admin account creation are a minimum requirement.
Segment and encrypt sensitive data. If CYA Finance's email backups had been encrypted and access-controlled, NullGhost's slow exfiltration would have yielded nothing usable. Data segmentation limits blast radius. Encryption renders stolen files worthless without the keys.
What CYA Finance Should Have Had in Place
CYA Finance had the basics: firewalls, quarterly password rotation, awareness training videos. Those measures belong to a threat landscape from ten years ago.
Modern attacks require modern defenses. The FTC Safeguards Rule now mandates nine core security requirements for mortgage lenders, including MFA for all system access, encryption at rest and in transit, and regular penetration testing. Fannie Mae's 2025 cybersecurity supplement requires lenders to report any cybersecurity incident within 36 hours of identification.
HUD's Mortgagee Letter 2024-10 raised the bar even higher: FHA lenders must report significant cybersecurity incidents within a 12-hour window of detection.
These requirements assume continuous monitoring, not quarterly check-ins. They assume behavioral analytics, not just perimeter defenses. They assume incident response plans that have been tested, not documents collecting dust.
Mortgage Workspace, backed by Access Business Technologies, delivers this level of security across 750+ financial institutions. The Guardian control layer runs on a pure Microsoft stack. No ConnectWise. No Kaseya. No SolarWinds. No third-party MSP platforms that add supply chain risk.
Guardian handles tenant hardening, conditional access enforcement, continuous compliance monitoring, and incident response. When SitusAMC was breached in November 2025, organizations running pure Microsoft stacks with proper session monitoring had zero exposure to the third-party MSP tool vulnerabilities that amplified that attack.
The clone did not just look like Chad's portal. It became him. The only defense is a security architecture that verifies not just who is logging in, but whether their behavior matches what is expected after login.
Talk to a Mortgage IT Specialist
Session hijacking defeats standard MFA. Behavioral analytics and phishing-resistant authentication stop it. Contact Mortgage Workspace to deploy Guardian across your Microsoft 365 environment.
Related Articles
Frequently Asked Questions
How does session token hijacking work in a mortgage company cyberattack?
Session token hijacking occurs when an attacker captures the authenticated session cookie generated after a user logs in with valid credentials and MFA. The attacker uses a proxy-based phishing site that relays the victim's login in real time, intercepting the session token as it is created. With that token, the attacker can access all systems the victim is authorized to use without needing the password or MFA code again. They appear identical to the legitimate user in system logs.
What are FIDO2 security keys and why do they stop phishing attacks?
FIDO2 security keys are hardware authentication devices that use public-key cryptography to verify both the user and the website. When a user attempts to log in, the key checks the domain of the login page before releasing credentials. If the domain does not match the registered site, the key refuses to authenticate. This makes adversary-in-the-middle proxy attacks impossible because the phishing site's domain will never match the legitimate domain registered with the key.
What is HUD's 12-hour cybersecurity incident reporting requirement for mortgage lenders?
HUD's Mortgagee Letter 2024-10 requires FHA-approved mortgage lenders to report significant cybersecurity incidents to HUD within 12 hours of detection. This applies to ransomware attacks, denial of service events, business email compromise, and any incident that affects services or loan operations. Fannie Mae's separate cybersecurity supplement requires reporting within 36 hours. Both requirements demand that lenders have real-time monitoring and incident response plans already operational.
How would a session hijacking attack like the one in this story have been stopped by behavioral analytics?
Behavioral analytics would have flagged several anomalies during the cloned session: a login from an unfamiliar IP address or geographic location immediately following a legitimate session, access patterns that deviated from the user's established baseline such as accessing admin portals they rarely visit, and bulk data export activity that exceeded normal usage thresholds. Microsoft Entra ID Protection assigns risk scores to sign-ins based on these signals. Combined with continuous access evaluation policies that revoke tokens in real time when risk scores spike, the attacker's cloned session would have been terminated within minutes rather than running for hours undetected.
The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows
Justin Kirsch : May 12, 2025 12:15:00 PM
In this article: The Setup: How Breaches Start on the Dark Web The Research Phase: Building a Target Profile The Lesson Hiding in Plain Sight How...
The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder
Justin Kirsch : Jun 2, 2025 8:45:00 AM
BEC attacks cost U.S. businesses $2.8 billion in 2024, according to the FBI's Internet Crime Complaint Center. In Q2 2025, the average wire transfer...