Cyber threats continue to evolve, and staying ahead requires vigilance and the right security measures. At CyberStreams, we have always prioritized real-world value over unnecessary upsells. That’s why we’ve been selective about the security solutions we integrate into our Business Technology Optimization platform. Recently, we partnered with a service provider offering real-time protection for Microsoft 365, Azure Active Directory, and Entra ID. This decision quickly proved its worth when an attempted breach nearly escalated—until it was stopped in its tracks.

Why CyberStreams Chose Real-Time Protection

Many security services flood the market with generic offerings, often designed more for profit than protection. CyberStreams takes a different approach. We only implement tools that provide genuine security benefits without inflating costs. This philosophy led us to our new security partner, who immediately began identifying active threats and shutting down incidents before damage could occur.

One such incident highlighted the sophistication of a particularly stealthy threat actor: Piercing Hornet. Unlike many cybercriminals who rely on brute-force tactics like password spraying, Piercing Hornet operates with precision, minimizing noise to evade detection. Their tactics are deliberate, calculated, and highly effective.

How Piercing Hornet Attacks

During an incident investigation, our security partner traced multiple attacks to Piercing Hornet, a threat group that had previously been observed in other environments. Their strategy involves remaining undetected for as long as possible, avoiding common red flags that trigger security alerts.

This particular attack demonstrated their level of sophistication:

• A targeted adversary, likely human-driven and based in the U.S., directly pursued a client’s staff.

• Their stealthy approach suggested future attempts to escalate privileges and spear-phish financial managers.

• If successful, this attack could have rapidly spread, becoming exponentially harder to contain.

Breaking Down the Attack

Threat Overview

• Attack vector: AiTM (Adversary in The Middle) phishing attack.

• Method: Stolen credentials via an automated phishing toolkit.

• Execution: Immediate login using a datacenter IP, followed by pivoting into the Exchange mailbox via a proxy IP to evade detection.

• Action: Urgent credential rotation and session revocation were necessary.

Attack Timeline

• 1/14/25 @ 8:18 PM – Failed Login Attempt.

• 1/14/25 @ 8:19 PM – Successful Login.

• 1/14/25 @ 8:24 PM – Threat Detected.

• 1/14/25 @ 8:27 PM – Active Sessions Terminated.

• 1/14/25 @ 8:27 PM – Account Locked, Threat Mitigated.

Who is Piercing Hornet?

This adversary is known to use automated phishing toolkits to steal a user's password and MFA credentials. They then immediately log into the account using a datacenter IP address and pivot into the user's Exchange mailbox with a proxy IP in an attempt to evade detection. They stealthily target users and have a high success rate despite producing very little noise or failed login attempts.

Conclusion

Cybersecurity isn’t just about responding to threats—it’s about staying ahead of them. The incident involving Piercing Hornet reinforces the importance of proactive security measures and real-time threat detection. Attackers are becoming more sophisticated, but with the right defenses, even the most advanced threats can be neutralized before they cause harm.

At CyberStreams, we remain committed to implementing only the most effective security solutions. If your organization isn’t already leveraging real-time protection against sophisticated actors like Piercing Hornet, now is the time to reconsider your security approach. The cyber threat landscape isn’t slowing down—and neither are we.