The initial intrusion vector was an SMS phishing campaign that spoofed internal IT notifications to harvest user credentials and MFA codes. Atlas Lion then enrolled a VM from their Azure tenant into the organization’s domain by mimicking the legitimate Windows device setup process. With access to the compromised account and a newly registered MFA device, the attackers validated and onboarded their VM. Endpoint security tools installed during automated device enrollment ultimately flagged the attacker’s activity due to a known malicious IP address, triggering a timely SOC response.
After the VM was removed, Atlas Lion continued leveraging the remaining credentials to perform rapid reconnaissance across multiple internal applications. This included scripted access to SharePoint and Confluence, targeting documentation on device management, VPN configuration, and gift card issuance. They even opened IT tickets to escalate permissions—while deliberately deleting notification emails to avoid suspicion.