A large hotel group operating 21 properties across the UK and Europe approached TMB following increasing concern about suspicious activity within its finance systems. The group relied on Microsoft Defender and internal IT processes but did not have a 24/7 operational security response in place. What they didn’t realise was that a sophisticated adversary‑in‑the‑middle (AiTM) attack had already been active within the environment.
The Challenge
Prior to onboarding with TMB, the hotel group had been compromised through an EvilGinx adversary‑in‑the‑middle attack. Over a three‑month period, attackers intercepted authentication flows and harvested valid credentials without detection. Using these credentials, the attackers maintained access to a finance team email account for more than two months. During this time, they monitored communications, observed internal workflows and prepared for potential financial fraud.
Although Microsoft Defender generated occasional suspicious sign‑in alerts, there was no continuous monitoring or active validation in place. As a result, the alerts were not correlated or investigated, allowing the threat to persist unnoticed.
The TMB Solution
Upon onboarding, TMB deployed RocketCyber MDR alongside Microsoft Defender and activated support from TMB’s 24/7 Cyber & Network Security Team. Within minutes of the MDR service going live, correlated behavioural analytics highlighted a pattern of abnormal authentication linked to known EvilGinx infrastructure. TMB’s security analysts immediately investigated the activity, confirmed the compromise and carried out rapid containment actions, including:
- Disabling compromised user accounts
- Forcing global credential resets
- Blocking malicious IP ranges and attacker infrastructure
- Validating indicators of lateral movement across all 21 hotel environments
The Result
Activity that had remained undetected for three months was identified and contained within minutes under TMB’s MDR‑powered security model.
The hotel group avoided a potential high‑value fraud incident and gained ongoing protection through:
- 24/7 expert monitoring
- Real‑time threat validation
- Immediate containment actions
- Cross‑property visibility across all 21 hotels
Today, the group considers TMB’s MDR service a core part of its cybersecurity strategy, moving from reactive alerting to continuous, proactive protection across every property.
