Mobile-Origin Breach Response For Corporate-Owned and BYOD Devices

Most enterprise compromises involving a mobile device do not begin and end on the device. The phone is the initial access vector. What follows is a cascade through identity providers, corporate mailboxes, OAuth grants, VPN sessions, and cloud applications. By the time a client calls us, the attacker has usually already left the device behind. The evidence lives in logs the corporate environment kept without anyone asking it to.

That is where we operate. We are the team you call when an executive's phone number was ported to a new SIM and a $380,000 wire left the treasury account two hours later. We are the team you call when a contractor clicked a phishing link on an iPhone at a trade show and six weeks later your quarterly financials ended up in a regulator's inbox. We are the team you call when a field tech's corporate Android was remotely enrolled by an attacker and spent a week quietly exfiltrating customer records through the Microsoft Graph API.

Our specialty, by Craig Petronella's own scope definition, is SIM swap investigation, business email compromise response, network forensics, ransomware containment, and the cloud-identity trail of compromised accounts. For consumer device extraction work, we refer. For corporate infrastructure investigation work, this is what we do every week.

If your incident is a family law matter, a consumer civil case, a custody dispute, or a situation where someone needs deleted text messages recovered from a personal iPhone, this is not the right page and we are not the right firm. Read the transparency section below for exactly where we draw that line.

Pattern one: the SIM swap into an executive's phone. An attacker socially engineers a mobile carrier representative into porting a CEO or CFO phone number to a SIM the attacker controls. SMS-based multifactor authentication codes now arrive at the attacker. Within minutes, the attacker resets passwords on the executive's corporate Microsoft 365 account, their personal email, and whatever federated single sign-on identity they use. From there, the attacker reads mailbox rules, plants a forwarding rule, and begins drafting a wire fraud email to accounting. None of this is recoverable from the executive's phone. The device was never compromised. The corporate identity was. The evidence lives in the Microsoft 365 unified audit log, in Conditional Access sign-in logs, in mailbox rule changes, and in carrier port-out records.

Pattern two: the OAuth consent grant. An employee receives a phishing link on their BYOD iPhone. The page is a replica of a legitimate Microsoft or Google consent screen. The employee, authenticated through their mobile browser, grants an attacker-controlled application permission to read mail, read contacts, and send mail on their behalf. The attacker now has persistent cloud access without ever needing the user's password or bypassing multifactor authentication. The phone did its job. The corporate tenant gave away the keys. The evidence lives in the OAuth consent audit log, in enterprise application sign-in telemetry, and in Microsoft Graph API call patterns.

Pattern three: the compromised session cookie. An attacker delivers an infostealer through a mobile ad network. The malicious payload runs in a mobile browser session on a corporate-owned device and exfiltrates session cookies. Those cookies are replayed from attacker infrastructure, bypassing multifactor authentication because the session already satisfied the MFA gate. By the time anyone notices, the attacker has been inside the corporate mailbox for eleven days. The evidence lives in risky sign-in detections, unfamiliar geolocation patterns, and conditional access token replay signatures.

Pattern four: the BYOD enrollment abuse. A terminated employee's personal device was never unenrolled from the corporate mobile device management platform. Months later the former employee, or someone who acquired their device, uses that stale enrollment to reach corporate resources. The evidence lives in Intune or Jamf enrollment history, in Conditional Access grant logs, and in mailbox access telemetry tied to the stale device ID.

Every one of these patterns has one thing in common. The investigation has almost nothing to do with the phone. The investigation has everything to do with the corporate systems the phone talked to.

Corporate-owned devices enrolled in Intune, Jamf, or Kandji give us the richest investigation surface. Device enrollment history, compliance state, application inventory, managed configuration, Conditional Access posture, and remote wipe history are all retrievable through the management console and its audit logs. When a corporate-owned iPhone is reported as a breach vector, the first artifacts we request are the Intune or Jamf device record, the device compliance policy evaluation history, the full application inventory at the time of incident, the certificate and Wi-Fi profile assignments, and the management action audit trail. None of this requires physical possession of the device. All of it lives in the management platform.

BYOD devices enrolled through application protection policies or mobile application management give us a narrower but still meaningful surface. We can see which managed applications were present, which corporate accounts signed into those applications, which policy controls were in force, and whether the device satisfied the conditional access requirements at the time of any suspicious sign-in. We cannot see the personal side of the device. That boundary is intentional. It is also, in most corporate investigations, sufficient.

Unmanaged devices accessing corporate resources are the hardest scope. We reconstruct the story almost entirely from the cloud side. Who signed in, from what IP, from what user agent, at what time, with what authentication strength, into which application, and what did they do once they were in. When unmanaged access is involved, the investigation shifts almost entirely to Microsoft 365 or Google Workspace audit data and identity provider telemetry.

What shapes all of this is a single question the client's counsel must answer before we touch anything: who owns the data, who consented to the monitoring, and what scope of investigation is authorized. Our engagements begin with a written scope letter that maps the authorized investigation surface. We do not investigate outside that scope. Corporate devices are typically in. BYOD devices are typically scoped to managed applications only. Personal devices not enrolled in any management platform are typically out, which is why, again, the real investigation happens in the cloud logs the corporate environment produced.

Tools we actually use for this layer include the Microsoft Intune audit log and device compliance APIs, the Jamf Pro API for Apple fleet history, the Microsoft 365 unified audit log, the Microsoft Entra ID sign-in and audit logs, the Conditional Access insight and reporting workbook, the Microsoft Graph API for application permission and consent history, Google Workspace admin audit logs, the identity provider logs for any federated SSO platform, corporate firewall and VPN concentrator logs, cloud access security broker telemetry, and the email gateway audit trail. That is the stack.

We say this plainly because the market is full of firms that overclaim. If a vendor tells you they do everything from corporate incident response to deleted iMessage recovery to family law mobile extraction, they are either building margin on the front end and subcontracting the real work, or they are stretching their competence. Neither is what you want on a regulated breach.

When a client calls us and the actual need is consumer device extraction, our answer is the same every time. We refer out to a trusted digital-forensics network of certified mobile forensic examiners who specialize in that kind of physical acquisition. That is not our lane. Corporate infrastructure forensics is our lane, and we stay in it because that is how you produce reports that hold up under regulator scrutiny, insurance investigation, and, when it comes to that, a federal courtroom.

A mobile-origin compromise produces a very specific fingerprint in corporate cloud telemetry. We know what to pull and we know how to read it.

Microsoft 365 unified audit log

We pull the unified audit log for the affected user account across a window that typically runs from thirty days before the suspected compromise through the present. We look for inbox rule creation and modification events, specifically rules that forward messages externally, move messages into RSS Feeds or Archive folders, or mark incoming messages as read and delete them. We look for mailbox permission changes. We look for Add-Ins and consent grants. We look for delegation grants. We look for sign-ins from unfamiliar autonomous system numbers and from user agents that do not match the user's normal device fingerprint. We look for token refresh patterns that suggest session cookie replay.

Microsoft Entra ID sign-in logs and Conditional Access

We pull risky sign-in events, sign-ins with unusual authentication details, and sign-ins flagged by atypical travel or impossible travel detections. We compare the sign-in telemetry against the Conditional Access policy set that was in force at the time, because the question is not only what happened. The question is also what should have been blocked but was not, and why. That finding almost always identifies the control gap that enabled the breach and becomes the central recommendation in the final report.

OAuth consent and enterprise application grants

We pull the OAuth consent audit log. We pull every non-Microsoft enterprise application with Graph API permissions. We examine which applications were consented to within the incident window, which permissions were granted, and whether those applications have made suspicious API calls since consent. OAuth consent phishing is one of the fastest growing initial access vectors for mobile-origin compromises, and it is nearly invisible unless you know where to look.

Google Workspace admin audit

For Google tenants we pull admin activity logs, login audit, drive audit, gmail audit (where log export is enabled), and OAuth token activity. We look for the same classes of artifacts in a different schema. Forwarding rules, filter creation, session hijack indicators, third-party application consent, and device trust events for the compromised user.

The output of this trail, in every engagement, is a timeline. Not a report full of capability language. A timeline. Who did what, from where, when, against which resource, and what data left the tenant as a result. That timeline is what your counsel, your regulator, and your cyber insurance carrier all need in order to make the decisions that come next.

Cloud telemetry tells the identity story. Network telemetry tells the data movement story. Both are required. In a typical mobile-origin engagement we pull corporate firewall logs for traffic associated with the affected user and device over the incident window, VPN concentrator session records including authentication source, client IP, assigned internal IP, and session duration, proxy logs for HTTPS inspection where the environment has a man-in-the-middle gateway in place, and cloud access security broker telemetry where one is deployed.

The patterns we look for include abnormal session duration, traffic to infrastructure on threat intelligence watchlists, DNS queries to command and control domains, large outbound data flows correlating with the compromised user's session, unusual geolocation for the VPN source address, and session re-authentication anomalies. If the corporate environment captures NetFlow, we correlate that against the timeline. If packet capture exists at the perimeter, we examine packet metadata for the affected session.

For clients who bring us in with an active incident and no existing network logging, we will stand up targeted capture at the perimeter for the duration of the engagement. That is within our network forensics capability. It is not a substitute for pre-existing telemetry, which is why we recommend, in every final report, a specific set of network logging defaults to keep this kind of investigation feasible next time.

The first call is twenty to thirty minutes. We want to understand three things. First, what indicator triggered the concern. A carrier port-out notification, a failed wire, an unusual sign-in alert, a regulator inquiry, a ransomware note, a help desk ticket that did not add up. Second, what systems are in scope. Which Microsoft or Google tenant, which mobile device management platform, which identity provider, which network perimeter vendor. Third, what your legal and insurance posture is. Whether counsel is already engaged, whether you have a cyber insurance carrier notified, and whether there is a regulatory clock already running.

From that call we produce a scope letter, a preservation request list, and a containment sequence. Engagement can begin inside twenty-four hours for active incidents. For clients who want to build a retainer relationship before an incident, we offer a mobile-origin readiness review that examines your current Conditional Access posture, OAuth consent controls, mobile device management baseline, and audit log retention settings against the attack patterns described on this page. That review is a one-time fixed-scope engagement and it prevents the bulk of what we see in incident response.

If you are looking at a possible breach right now, the fastest path is the incident response intake form or a direct call to (919) 348-4912. If your question is broader than mobile, the parent hub pages on data breach forensics, digital forensics solutions, network forensics, and cryptocurrency forensics cover our full investigation surface. Clients who want to build internal capability should look at our incident response training program.

Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO #1449). Our team holds the CMMC-RP credential. Craig Petronella holds CMMC-RP, CCNA, CWNE, and Digital Forensics Examiner (DFE) credential #604180. We have operated out of Raleigh since 2002 and hold a BBB A+ rating. Our office address is 5540 Centerview Dr., Suite 200, Raleigh, NC 27606.