Case Studies
Real Incidents. Real Outcomes.
These are real engagements. Client details anonymized to protect their businesses.
A Connecticut law firm had a threat actor operating inside their Microsoft 365 environment for 23 days. The attacker created hidden inbox rules, registered a lookalike domain, and initiated a $7 million wire transfer attempt. We were engaged and contained the entire incident the same day.
prevented
found & contained
same day
delivered
- Threat actor with 23-day dwell time inside M365 tenant
- Hidden inbox rules silently deleting and forwarding communications
- Lookalike domain registered to impersonate the firm
- $7M wire transfer attempt timed to a real estate closing
- Same-day session revocation across all 6 compromised accounts
- Malicious inbox rules identified and deleted via forensic audit
- Lookalike domain flagged and reported for takedown
- Fraudulent wire communication intercepted before funds released
- Full forensic report with timeline delivered within 11 days
- Phishing attack compromised employee mailbox
- Nearly 2-week dwell time with silent forwarding rules active
- Typo-squat domain registered to continue impersonation post-lockout
- External partners actively being targeted via the lookalike domain
- Same-day containment — account locked, sessions revoked
- All 5 affected accounts reviewed and secured
- Lookalike domain identified, documented, and reported
- External partners notified to disregard fraudulent communications
- MFA enforced tenant-wide post-incident
A Connecticut law firm's email was compromised via phishing. The attacker operated inside the mailbox for nearly two weeks, creating silent forwarding rules and registering a typo-squat domain to continue impersonating the employee even after lockout.
dwell time
& secured
identified
Day
completed
An employee clicked a phishing email. Within hours, the attacker created 7 inbox rules to suppress communications, used global VPN/proxy IPs from multiple countries, and initiated a fraudulent $12,500 wire transfer.
identified
rules removed
IPs identified
Day
credential reset
- Single phishing click led to full account compromise
- 7 inbox rules created to suppress alerts and redirect communications
- Attacker using 6+ global proxy/VPN IPs to mask location
- $12,500 fraudulent wire transfer initiated from compromised account
- Same-day session revocation and forced credential reset
- All 7 malicious inbox rules identified and deleted
- Forensic audit of Entra ID sign-in logs — all attacker IPs documented
- Conditional Access policies implemented to block risky sign-ins
- Legacy authentication disabled across tenant
- Provider migration left dormant admin accounts exposed and unmonitored
- Threat actors gained Global Admin privileges — 30-day dwell time
- Accounting department impersonated to send fraudulent ACH invoice
- $7,700 fraudulent ACH payment intercepted from a real customer
- All 4 compromised accounts disabled and credentials reset
- Full admin account audit — dormant and legacy accounts removed
- Forensic timeline of 30-day attacker activity reconstructed
- Fraudulent invoice documented and customer alerted
- Privileged Identity Management implemented to prevent recurrence
A manufacturing company's M365 tenant was compromised after a provider migration left dormant admin accounts exposed. Threat actors gained Global Admin privileges and impersonated the accounting department to send a fraudulent ACH invoice.
payment
dwell time
disabled
Admin
privilege level
A finance department employee received a spoofed email impersonating a trusted internal colleague. After clicking a phishing link, the attacker redirected approximately $55,000 in funds to a fraudulent vendor.
via phishing
Day
sessions revoked
Wide
lateral movement
On
account restoration
- Spoofed internal email impersonating a trusted colleague in finance
- Phishing link captured credentials, bypassing legacy MFA
- $55,000 redirected to a fraudulent vendor via wire transfer
- No lateral movement — attack confined to single compromised account
- Same-day account lockout and session revocation
- Full tenant-wide user review confirmed no lateral spread
- Fraudulent vendor and transfer documented for financial recovery
- MFA enforced on account restoration — phishing-resistant config
- Anti-spoofing policies reviewed and hardened across tenant
More Anonymized Engagements
Additional Case Studies
Sanitized from real incident response reports. Business names, individual names, domains, and dates have been removed to protect client confidentiality.
Phished Session Token Contained Within Minutes
A professional services user was compromised after a phishing attack captured access to a Microsoft 365 account. The attacker authenticated from multiple unfamiliar network locations and accessed email during a short compromise window.
- Revoked all active sessions and reset credentials.
- Reset MFA methods and removed suspicious authentication artifacts.
- Reviewed sent mail, inbox rules, and message trace evidence for exposure.
EDR and MDR Alerts Exposed Domain Reconnaissance
Endpoint and MDR alerts identified suspicious behavior from a domain account on a remote desktop server, including process handle activity, registry changes, outbound network behavior, and domain enumeration commands.
- Isolated the endpoint to prevent lateral movement.
- Correlated MDR and EDR telemetry to validate suspicious behavior.
- Rotated credentials and restricted external remote access.
Compromised Mailbox Sent Hundreds of Phishing Emails
A user clicked a shared-document phishing lure, allowing an attacker to access the mailbox and send a large outbound phishing wave. Malicious inbox rules were found and removed during containment.
- Revoked sessions, reset credentials, and re-registered MFA.
- Removed hidden rules designed to suppress or redirect messages.
- Advised leadership on recipient notification and follow-up monitoring.
Malicious Cloud Apps and Inbox Rules Removed
A coordinated phishing and application abuse campaign was identified inside a Microsoft 365 tenant. Multiple suspicious enterprise applications, app registrations, and malicious inbox rules were removed before further spread.
- Removed malicious enterprise apps and associated app registrations.
- Deleted malicious OneDrive content used to relay phishing messages.
- Reduced excessive Global Admin access and tightened app consent controls.
Global Admin Account Takeover Contained
A Global Administrator account was compromised through authentication abuse. The investigation identified unauthorized MFA methods, suspicious inbox rules, and excessive privilege risk across the tenant.
- Revoked sessions, removed unauthorized MFA methods, and rotated credentials.
- Enumerated inbox rules across the tenant and removed suspicious artifacts.
- Separated daily-use identity from administrator access and created monitored admin accounts.
Suspicious Sign-Ins Validated and Spoofed Emails Blocked
Unusual Microsoft sign-in locations were investigated and validated as legitimate privacy relay behavior. At the same time, spoofed internal-looking emails were confirmed as external impersonation attempts and quarantined before user exposure.
- Verified sign-in activity directly and ruled out account compromise.
- Preserved email header evidence and confirmed spoofed messages were quarantined.
- Demoted daily admin use and created a dedicated monitored administrator account.
Across All Engagements
The Numbers
or Identified
Documented
Containment
Engagements
Think You Have an Active Incident?
Don't wait. Every hour matters in an active breach. Call us, book directly, or use the contact form — we respond fast.