Multi-Actor Intrusion: When Not One but Two Attackers Operate in the Network

A phishing incident, a compromised mailbox, and suddenly two completely independent attackers with different objectives. What sounds like an exceptional case could be a growing trend: multi-actor intrusion attacks.

Two Attackers, One Environment, Different Intentions

Recently, Eye Security investigated what initially seemed like a routine phishing incident. A look into the logs revealed a surprising pattern: The first attacker gained access via an Adversary-in-the-Middle (AiTM) attack. His first action: setting up inbox rules to send phishing emails to hundreds of contacts, rapid spread across the organization.

But that wasn’t all. A few days later, a second attacker appeared with different infrastructure, different methods in the same environment. Instead of focusing on distribution, he read emails and accessed internal documents.

Two intruders with different goals: one wants to spread, the other wants to collect.

Why Multi-Actor Intrusion Is Particularly Dangerous

The greatest danger lies in the coexistence of activities. While one attacker acts loudly (mass phishing email distribution), the other remains quiet (data exfiltration). Security teams risk seeing only the loud attack – and overlooking the quiet, often more dangerous one.

Additionally, an initial access can be sold or passed on multiple times. Initial Access Brokers specialize in obtaining access and selling it to various actors with completely different motives.

What Can Companies Do?

1.Maximize logging

Without detailed logs, multi-actor attacks remain invisible. Exchange and Entra ID logs (formerly Azure AD) in particular must be stored long enough and in sufficient depth.

2. Recognize temporal patterns

A single compromised account can be used for weeks from different IPs and with different user agents. Regular reviews of login activities outside normal hours are essential.

3. Monitor inbox rules

Rules that automatically move, delete, or forward emails are a classic indicator of malicious activity. Automated alerts on new, suspicious rules help with early detection.

4. Avoid tunnel vision on the first attacker

Once a compromise is identified, the investigation should not end with the first discovered actor. The question must be: Are there signs of additional independent activities?

5. Implement MFA correctly

AiTM attacks can intercept even MFA sessions. Phishing-resistant methods such as FIDO2 security keys or certificate-based authentication help here.

Conclusion: From Lone Actor to Organized Parallelism

Multi-actor intrusions challenge traditional incident response processes. The old mindset of “one incident, one attacker” is dangerously naive. Security teams must learn to recognize parallel traces, separate them, and defend against different objectives.

On April 21, Eye Security will walk interested participants through this specific case step by step: how the access was achieved, how it was maintained, and which signals were overlooked.

Webinar: „Multi-Actor Intrusion in Business Email Compromise“