A few months ago, we shared the story of how our 24x7 Identity Theft Detection and Response (ITDR) service saved a customer from a sophisticated phishing attack.
Seven employees fell victim to credential harvesting, but our monitoring systems detected the breach within minutes, immediately revoking sessions and preventing any damage to their Microsoft 365 environment.
Today, we're sharing a different story—one that illustrates what happens when essential security measures aren't in place. This isn't about blame or "we told you so," but about the real-world consequences that drive our security recommendations.
The Incident: How Six Hours Can Change Everything
Last week, we discovered—by lucky accident—that one of our customers had been compromised for over six hours. We only found out because we received the very phishing email that the attackers were sending from their compromised account.
Here's what happened:
Our customer had elected not to be protected by Multi-Factor Authentication (MFA). Without this most basic layer of protection, a single compromised password gave cybercriminals complete access to this customer's Microsoft 365 environment. But the attackers didn't just steal data—they were methodical and sophisticated.
First, the attackers created email rules to hide their activities, ensuring their malicious emails wouldn't be detected by the account owner. Then, they began their real objective: using the compromised account to target the customer's contacts with convincing phishing emails.
The Cascading Effect
By the time the breach was discovered, nearly 200 of our customer's contacts had received phishing emails from what appeared to be a trusted source. Worse still, the attackers had created a fake Microsoft 365 login page hosted on the customer's own SharePoint site—making it appear completely legitimate.
Some of those 200 contacts entered their credentials on this fake site, meaning the attack had already begun spreading beyond our customer to their network of contacts and potentially their customers too.
Recipients of the scam email were trying to log into a SharePoint server to download a file, and when asked to enter their email address and password, nothing happened. Many of them emailed this "news" to our customer.
Due to the email rules created by the attackers, the emails sent to our customer reporting failed login attempts were immediately deleted. Our customer was oblivious to the attack happening right under their nose.
We recovered these emails to the customer's inbox to help with the remediation.
Once the attackers are in, their net widens, as demonstrated by the log-in locations below:
Two Stories, Two Outcomes
The contrast with our previous blog story is stark:
Customer with ITDR protection:
- 7 employees compromised
- Breach detected & nullified in minutes
- Automatic response prevented any damage
- No customer data lost
- No reputation damage
Customer without MFA or ITDR:
- Single employee compromise
- 6+ hours of undetected access
- Nearly 200 contacts targeted
- Unknown number of secondary compromises
- Significant reputational risk
Why We Make the Recommendations We Do
As a Managed Service Provider, we don't recommend security solutions to hit sales targets. We recommend them because we see, firsthand, what happens when they're not in place.
Every security measure we suggest—from MFA to ITDR services—comes from witnessing real attacks on real businesses. When we say "you need Multi-Factor Authentication or you need ITDR" it's not a sales pitch. It's because we've seen too many businesses learn this lesson the hard way.
The Real Cost of Cyber Security Incidents
The direct costs of this incident include:
- Emergency response and cleanup time
- Potential legal obligations to notify affected contacts
- Reputation damage with customers and partners
- Lost productivity during remediation
- Potential regulatory fines or compliance issues
But the indirect costs are often higher:
- Lost customer trust
- Damaged business relationships
- Internal investigation time
- Increased insurance premiums
- Long-term reputation impact
Moving Forward: Lessons for Every Business
This incident reinforces several critical points:
Human error is inevitable. With over 50% of cyberattacks resulting from human error, it's not a matter of if, but when someone in your organisation will fall victim to a phishing attempt.
Basic protections make a massive difference. Multi-Factor Authentication alone could have helped prevent this entire incident, but MFA alone isn’t enough. In addition to phishing-as-a-service, we are seeing more instances of MFA being exploited, including session hijacking and session cookie theft.
Attacks spread quickly. Modern cybercriminals don't just target your business—they use your business to target your customers, suppliers, and partners.
Detection time matters. The difference between minutes and hours can mean the difference between a contained incident and a major breach affecting hundreds of people.
Your Trusted Cyber Security Partner
Our role as your Managed Service Provider goes beyond maintaining your IT infrastructure. We're here to protect your business, your reputation, and your customers from the very real threats we encounter daily.
When we recommend security measures, it's not because we want to sell you something—it's because we've seen what happens when those measures aren't in place. Every recommendation comes from real-world experience with real consequences.
Cyber security isn't just about protecting your data—it's about protecting your ability to do business, maintain customer trust, and avoid the devastating cascade effects that modern cyber attacks can create.
Take Action Today
Don't wait for an incident to take cyber security seriously. The basic protections that could have prevented this entire situation are:
- Multi-Factor Authentication on all business accounts
- Security awareness training for all staff
- 24x7 monitoring and response capabilities
- Regular security assessments and updates
If you're not sure where your business stands, we're here to help. We developed Business Armour, a suite of cyber security solutions to give you 360 degree security - Because when it comes to cyber security, prevention is always better than recovery.
To learn more about our Business Armour cyber security services and how we can protect your business from these threats, contact our team today. Because cyber security is a 24x7 problem, we provide 24x7 solutions.