Back to All Scenarios
PASSEDsecurity / mfa_bypass_sim_swap
MFA Bypass via SIM Swap — Executive Account Takeover
An attacker performs a SIM swap attack on the CEO's mobile carrier to intercept SMS-based MFA codes. Using previously phished credentials and the intercepted MFA codes, the attacker gains access to the CEO's email, financial systems, and wire transfer approval authority. The attacker initiates a fraudulent wire transfer for $2.4M.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 42 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
CEO account protected by SMS-based MFA only. SIM swap performed on carrier. Credentials previously obtained via spear phishing. Access to email (M365), banking portal, and ERP system. Wire transfer approval: $5M single-signer authority. Attack executed during CEO's international travel.
Injected Error Messages (3)
M365 suspicious sign-in detected — CEO account ceo@acmecorp.com authenticated from new device in Lagos, Nigeria (CEO traveling in London), Entra ID risk level: HIGH, impossible travel detected (London to Lagos in 12 minutes), MFA satisfied via SMS code (SIM swap suspected), 47 emails accessed including wire transfer approval threads, inbox rule created: forward all from finance@acmecorp.com to external address
Fraudulent wire transfer initiated — treasury portal login from unrecognized IP 41.203.67.x (Nigeria), CEO credentials + SMS MFA used, wire transfer request: $2,400,000 to account at First City Monument Bank (FCMB), beneficiary name mismatch from normal payees, transaction flagged by anomaly detection but auto-approved under CEO's $5M single-signer authority, ACH origination in progress
Okta anomaly: CEO account MFA factor changed — SMS MFA responses coming from different device ID than enrolled phone, carrier SIM swap detected (phone number ported to new SIM at 02:14 UTC), push notification MFA not configured (SMS only), 6 successful authentications in 2 hours from Nigerian IP range, concurrent sessions: 4 (normal: 1), password reset attempt blocked by conditional access policy
Neural Engine Root Cause Analysis
This is a security incident, not a technical system failure. The CEO's Microsoft 365 account has been compromised through a suspected SIM swap attack, allowing unauthorized access from Lagos, Nigeria while the CEO is in London. The attacker satisfied MFA via SMS, accessed sensitive emails including wire transfer communications, and created a forwarding rule to exfiltrate ongoing financial correspondence. The 16 correlated incidents likely represent cascading security alerts and system lockdowns triggered by this breach.
Remediation Plan
1. Immediately disable the compromised CEO account (ceo@acmecorp.com) 2. Reset all authentication methods and revoke all active sessions 3. Remove the malicious inbox rule forwarding emails to external address 4. Notify the CEO via alternate communication channel about the breach 5. Contact mobile carrier to investigate suspected SIM swap 6. Review and secure all accessed emails, especially wire transfer threads 7. Notify relevant stakeholders about potential financial fraud attempts 8. Implement conditional access policies requiring hardware-based MFA 9. Conduct full security audit of executive accounts 10. File incident report with appropriate authorities if financial fraud attempted
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjwh8v05bzobqea0hirpqn