Phishing Attack Contained
Before Any Data Left the Building
A staff member's Microsoft 365 credentials were compromised via a spoofed login page. The attacker had active access to the mailbox — but not for long.
The Situation
A staff member at a small law firm received a spear-phishing email that appeared to come from a court document filing service. The email was convincing — the domain was close enough to the real service that it bypassed a quick visual check. The staff member entered their Microsoft 365 credentials on the spoofed login page.
Within hours, the attacker was inside the mailbox. They created an email forwarding rule that silently copied every incoming message to an external address. The firm had no MFA enforcement, no Microsoft 365 audit log monitoring, and no incident response plan. Without active monitoring, this could have run undetected for weeks.
What We Did
Detected the Anomaly Through 365 Audit Log Monitoring
Our managed services monitoring flagged the anomalous forwarding rule within hours of its creation. Microsoft 365 audit logs are part of every managed services engagement — this is exactly what they exist for.
Revoked Session Tokens and Locked Attacker Access
We revoked all active session tokens for the compromised account, removed the forwarding rule, and reset credentials — cutting off the attacker's access within 30 minutes of detection.
Audited the Mailbox for Exfiltration
We reviewed the full audit trail for the period the account was compromised. The attacker had accessed the inbox but had not opened, forwarded, or downloaded client documents. No data was exfiltrated.
Deployed MFA and Conditional Access Across All Accounts
Multi-factor authentication was enforced on every Microsoft 365 account in the firm. Conditional access policies now block authentication attempts from outside trusted locations and devices.
Conducted Firm-Wide Phishing Awareness Training
Within one week of the incident, all staff completed a phishing recognition session. Simulated phishing tests are now run quarterly as part of the managed services agreement.
The Outcome
- Incident contained before any client data was accessed or exfiltrated
- Attacker access revoked within 30 minutes of detection
- MFA now enforced firm-wide — a compromised password alone can no longer open any account
- Staff trained on phishing recognition; simulated tests run quarterly
- Microsoft 365 audit log monitoring active across all accounts going forward
Work With Us
Find Out Where Your Security Gaps Are Before an Attacker Does
We audit your Microsoft 365 configuration, email security, endpoint posture, and network — and tell you exactly what needs to be fixed before an incident forces the issue.