fatcousin
// investigation guide

account takeover (ATO) — methodology

account takeover is not a single failed login. it is a chain — spray or phish, MFA bypass (push fatigue or SIM swap), password reset, session persistence, then exfil via mailbox rules or cloud token abuse. evidence lives in IdP logs, unified audit, carrier records, and the victim endpoint. the containment window is hours, not days.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
active IdP session / refresh tokensvolatileminutes after revoke — attacker may already have mail sync
Okta / Entra sign-in & system logsrolling90 days typical · longer with premium retention
M365 unified audit logrolling90 days default · up to 1 year with E5 audit
mailbox rules (live mailbox)persistent until deletedrule survives — creation proof is audit-only
carrier SIM / ICCID change recordpersistent at carriersubpoena latency · export at triage if you have portal access
VPN auth logsrolling30–90 days typical per appliance
browser session / saved creds on endpointvolatilelost on reimage — capture before wipe

the first 10 minutes

  1. revoke all active sessions for the victim account in IdP (Okta / Entra) — do not wait for root cause.
  2. force password reset and invalidate refresh tokens.
  3. disable or reset MFA factors on the account — assume SIM or device compromise.
  4. export unified audit and sign-in logs for the victim — 30 days minimum.
  5. export mailbox rules for the victim mailbox — outlook rules.dat or admin center export.
  6. check for new OAuth app consents or enterprise app grants in the last 60 days.
  7. pull VPN auth logs for the victim username — correlate spray source IPs.
  8. if SMS MFA — open carrier ticket for SIM swap / port inquiry on the victim line.
  9. preserve the victim endpoint — do not reimage until session artifacts are captured.
  10. begin the path below.

the path

  1. 1. password spray detector

    drop vpn or IdP auth logs (csv/json). surfaces spray bursts, lockouts, and success-after-failure on the victim account.why first: credential stuffing is often days before takeover. you need the spray window before interpreting a single 'successful login'.

  2. 2. okta log analyzer

    okta system log export. flags MFA push fatigue, new device trust, impossible travel, and Tor/VPN exits.why second: the IdP log is the spine for SaaS-first orgs — session creation precedes mailbox and cloud abuse.

  3. 3. sim swap artifact forensic detector

    carrier CSR export or ICCID change artifact. correlates SIM swap timing with MFA reset or push approval.why third: SMS/voice MFA bypass via SIM swap is a common false-negative if you only read Okta — check the carrier trail.

  4. 4. o365 audit log parser

    unified audit log csv/json. quick parse of UserLoggedIn, MailItemsAccessed, UpdateInboxRules, password reset events.why fourth: fast triage pass on M365 before deeper analyzers — find the takeover minute and rule creation.

  5. 5. office365 audit log analyzer

    deeper UAL correlation — session + mailbox + SharePoint/OneDrive access in one timeline.why fifth: exfil often lives in SharePoint downloads or mailbox sync, not just sign-in.

  6. 6. microsoft365 audit log analyzer

    cross-workload M365 view — Entra + Exchange + Teams signals where exports overlap.why sixth: attackers pivot across workloads; one analyzer may miss Teams or Entra-only events.

  7. 7. mail rule parser

    outlook rules.dat or msgFilterRules export. flags external forward, delete-on-arrival, and mark-read rules.why seventh: hidden inbox rules are the persistence layer — often created minutes after password reset.

  8. 8. credential artifact scanner

    browser session dump, lsass-adjacent exports, or saved password stores from the victim endpoint.why last: confirms whether the victim machine still holds active tokens after IdP session revoke.

common false leads

  • one successful login from a new city — travel happens; correlate with spray, SIM swap, and rule creation in the same hour.
  • MFA was enabled so we are safe — push fatigue and SIM swap bypass MFA without stealing the password first.
  • the user clicked a link — ATO often has no phish; credential stuffing from prior breaches is enough.
  • no malware on the laptop — cloud-only takeover leaves the endpoint clean while mail and files leave.
  • sign-in from a datacenter IP is a VPN — validate against your VPN egress list; Tor exits look similar.

what we can tell you, what we can't

we can tell you:

  • spray vs targeted login patterns from auth exports
  • MFA fatigue and session anomaly indicators from IdP logs
  • mailbox rule persistence and external forward targets
  • UAL timeline of password reset, rule creation, and data access
  • carrier-side SIM swap timing when CSR exports are in scope

we can't tell you:

  • whether funds were stolen — that depends on what the actor did after mail access
  • attribution to a named threat group — intel and law enforcement territory
  • whether the victim violated policy — HR and counsel territory
  • live revocation in your tenant — you must act in admin consoles; these tools analyze exports only

handing it off

  • law enforcement (FBI IC3): IdP + UAL exports, mailbox rule dump, spray source IPs, carrier SIM record, timeline UTC.
  • identity / IT: session revoke confirmation, MFA reset log, OAuth consent review, affected downstream SaaS inventory.
  • outside counsel: preservation log — export sha-256, who pulled what, when.
  • carrier: ICCID change timestamp, port request metadata, account PIN change events.

further reading

reference investigation

synthetic fixture meridian-ato — VP finance takeover via spray, SIM swap, Okta MFA fatigue, and hidden external forward, seed meridian-ato:v1. download evidence and compare output to published goldens via npm run check:flagship.

proof page: /forensics/proof/meridian-ato · fixture download: evidence zip · case playbook: case type tools

run the ATO kit →forensics home
ready