Joshua Rawles
Joshua Rawles is a Senior Threat Analyst at Sophos MDR focused on Microsoft 365 and cloud threats. He combines DFIR expertise with attacker-infrastructure tracking to hunt adversaries and understand how they operate. His current focus is on SaaS, investigating how attackers abuse identities and cloud services and using that insight to strengthen defenses. Previously, Joshua worked in incident response with the Royal Australian Navy. Outside work he boulders, writes heavy metal, and gets out into nature.
Session
Phishing-as-a-Service combined with Adversary in the Middle (AiTM) grew by 146% in a year and now drives reported multi-billion losses and tens of thousands of business email compromises. Subscription kits for Microsoft 365 cost as little as £300 a month allowing adversaries to steal full sessions, not just passwords, easily bypassing MFA. This talk shows how the kits work, how fast operators stand them up, and what the infrastructure looks like, including holes that allow early detection. Using two recent case studies, FlowerStorm(Storm-1167) and RaccoonO365, we triangulate leaked artefacts, takedown data, and open infrastructure signals against the current AiTM threat landscape to estimate global impact. Our analysis points to millions of stolen sessions a year, suggesting the impact is far greater than reported. We finish with a clear detection map of the AiTM chain and the telemetry required to analyse/detect at each stage.