If you work in cybersecurity, you’ve probably heard the time-honored adage about cyber attacks: “It’s not a matter of if, but when.” Perhaps a better way to think of it is this: while training, experience, and familiarity with social engineering techniques help, anyone can fall for a well-constructed ruse. Everyone – including security researchers – has a vulnerability that could make them susceptible, given the right situation, timing, and circumstances.
Cybersecurity companies aren’t immune by any means. In March 2025, a senior Sophos employee fell victim to a phishing email and entered their credentials into a fake login page, leading to a multi-factor authentication (MFA) bypass and a threat actor trying – and failing – to worm their way into our network.
We’ve published an external root cause analysis (RCA) about this incident on our Trust Center, which dives into the details – but the incident raised some interesting broader topics that we wanted to share some thoughts on.
First, it’s important to note that MFA bypasses are increasingly common. As MFA has become more widespread, threat actors have adapted, and several phishing frameworks and services now incorporate MFA bypass capabilities (another argument for the wider adoption of passkeys).
Second, we’re sharing the details of this incident not to highlight that we successfully repelled an attack – that’s our day job – but because it’s a good illustration of an end-to-end defense process, and has some interesting learning points.
Third, three things were key to our response: controls, cooperation, and culture.
Controls
Our security controls are layered, with the objective of being resilient to human failure and bypasses of earlier layers. The guiding principle behind a ‘defense-in-depth’ security policy is that when one control is bypassed, or fails, others should kick in – providing protection across as much of the cyber kill chain as possible.
As we discussed in the corresponding RCA, this incident involved multiple layers – email security, MFA, a Conditional Access Policy (CAP), device management, and account restrictions. While the threat actor bypassed some of those layers, subsequent controls were then triggered.
Crucially, however, we didn’t sit on our laurels after the incident. The threat actor was unsuccessful, but we didn’t congratulate ourselves and get on with our day. We investigated every aspect of the attack, conducted an internal root cause analysis, and assessed the performance of every control involved. Where a control was bypassed, we reviewed why this was the case and what we could do to improve it. Where a control worked effectively, we asked ourselves what threat actors might do in the future to bypass it, and then investigated how to mitigate against that.
Cooperation
Our internal teams work closely together all the time, and one of the key outcomes of that is a cooperative culture – particularly when there’s an urgent and active threat, whether internal or affecting our customers.
Sophos Labs, Managed Detection and Response (MDR), Internal Detection and Response (IDR), and our internal IT team worked within their different specialties and areas of expertise to eliminate the threat, sharing information and insights. Going forward, we’re looking at ways to improve our intelligence-gathering capabilities and tightening feedback loops – not just internally, but within the wider security community. Ingesting and operationalizing intelligence, making it actionable, and proactively using it to defend our estate, is a key priority. While we responded effectively to this incident, we can always be better.
Culture
We try to foster a culture in which the predominant focus is solving the problem and making things safe, rather than apportioning blame or criticizing colleagues for mistakes – and we don’t reprimand or discipline users who click on phishing links.
The employee in this incident felt able to directly inform colleagues that they had fallen for a phishing lure. In some organizations, users may not feel comfortable admitting to a mistake, whether that’s due to fear of reprisal or personal embarrassment. Others may hope that if they ignore a suspicious incident, the problem will go away. At Sophos, all users – whatever their role and level of seniority – are encouraged to report any suspicions. As we noted at the beginning of this article, we know that anyone can fall for a social engineering ruse given the right circumstances.
It’s often said – not necessarily helpfully – that humans are the weakest link in security. But they are also often the first line of defense, and can play a vital part in notifying security teams, validating automated alerts (or even alerting security themselves if technical controls fail), and providing additional context and intelligence.
Conclusion
An attacker breached our perimeter, but a combination of controls, cooperation, and culture meant that they were severely restricted in what they could do, before we removed them from our systems. Our post-incident review, and the lessons we took from it, means that our security posture is stronger, in readiness for the next attempt. By publicly and transparently sharing those lessons both here and in the RCA, we hope yours will be too.