Stories from the SOC: A Breach Containment Story in Real Time

By Lewis Pack, Head of Cyber Defence

Welcome to Stories from the SOC, a new series providing monthly insights from our Cyber Defence Team at CyberOne. Each month, we’ll take you behind the scenes of our 24×7 Security Operations Centre (SOC), where we share real incidents, real decisions and real outcomes. These stories highlight how we respond, what we learn, and how we transform threat data into proactive defence — all while making cyber security clear and actionable for business leaders.

What you do in the first hour defines your security posture. The right response, at speed, is the difference between an incident and an incident headline. In this first Stories from the SOC, I want to give you a real glimpse into how we work, through the lens of a real cyber incident that unfolded at the end of last month.

What began as a few “odd” emails escalated into a full-scale coordinated response. This isn’t a dramatisation but a factual retelling of the events, showing how our SOC team responded with speed, collaboration and depth. It’s how we deliver our real-time defence — and why our clients trust us to support them 24x7x365.

Threat Timeline

It all started when Nick reached out to me. He’d noticed some unusual emails landing in his inbox. They weren’t overtly malicious, but something about them didn’t sit right.

This is a classic example of where human intuition meets expert escalation. When something feels off, our clients know they can reach us directly and get any issues promptly addressed.

By early afternoon, our Darren in the Customer Success team flagged that more users were receiving these emails. Then, our Hannah, Head of Delivery, discovered that multiple clients had raised concerns. A pattern was forming.

What is Suspicious Email Behaviour?

Think of it like junk mail with a hidden purpose — it might include strange formatting, unexpected attachments or links that redirect through unfamiliar websites, emails that create a sense of urgency (e.g. “click now to avoid lockout”) or messages that appear to come from a trusted source — but aren’t.

Darren submitted a formal ticket into our system, kicking off our structured incident response process. That single action opened the doors to the full might of our SOC.

Hannah quickly escalated it to me. The behaviour wasn’t isolated and it wasn’t random. I knew we needed eyes on this fast.

I directed Darren to run the initial assessment. Within minutes, we confirmed this wasn’t spam — it had the signs of a coordinated credential phishing attempt.

What is Credential Phishing?

Credential phishing occurs when an attacker sends a seemingly innocent email trying to trick the recipient into revealing login details, usually by pretending to be Microsoft, IT or HR. These emails are often disguised as “action required” messages from trusted sources or internal systems. The goal is simple: gain access and move quietly.

An analyst and I assess what we can see and determine that the incident is complex enough to warrant the full IR team. While some incidents can be easily mitigated, i.e., when the scope is limited, this was not that.

At this point, a full Incident Response (IR) call was spun up. These aren’t just video chats — these are war rooms. The CyberOne CIRT (Cyber Incident Response Team) dialled in and we began assigning roles in real time:

• Who’s handling the investigation?
• Who’s on customer communications?
• Who’s managing containment?

The atmosphere was focused, but calm. This is what we train for.

What Is the IR Team?

IR stands for Incident Response. It’s our elite team of cyber specialists trained to:

• Investigate security incidents
• Contain threats
• Recover systems
• Protect evidence
• Handle stakeholder engagement

They work like a digital emergency response unit — always on, always ready.

At this stage, a full rundown of the incident is provided to all present IR team members. This ensures everyone is working from the same page, has clear objectives aligned with the overarching response procedure and that our workloads are non-conflicting, ensuring the timeliest response.

Bryan, one of our Senior SOC Analysts, began removing emails from affected inboxes — both soft (recoverable) and hard deletes to neutralise the threat quickly.
The CIRT investigated the email metadata, links, sender profiles and attachment behaviour. This wasn’t spray-and-pray phishing. It was targeted and potentially linked to an attacker using reconnaissance tactics or pre-staging a larger attack.

Soft Delete vs Hard Delete – What’s the Difference?

Soft Delete:

• Removes the email from the user’s inbox
• Still stored in “Deleted Items” or “Recoverable Items”
• Can be restored if needed

Hard Delete:

• Permanently removes the email from all folders
• Cannot be accessed or restored by the user
• Used when content is confirmed to be malicious

Why Use Both?

We act decisively in potential breach scenarios. A soft delete lets us move quickly without disrupting the investigation. A hard delete ensures full removal when malicious content is confirmed, eliminating the risk of accidental clicks or data leaks from the user’s side.

What Is Email Metadata?

Behind every email is a digital trail — who sent it, where it came from, what it’s trying to do. Email metadata includes:

• Sender address and domain
• IP address used to send
• Time sent
• Device used
• Any links or attachments inside

We use this to determine intent and track attacker behaviour.

What is Reconnaissance in Cyber?

In cyber security, reconnaissance is the digital version of scouting. Before launching a full attack, threat actors often probe users or systems to:

• Test for weaknesses
• Map out email addresses or systems
• See who responds to what – this helps them fine-tune more dangerous campaigns later

Another of our SOC Analysts, Lee, initiated a broader customer impact review. Were other tenants affected? Could this be part of a wider campaign? At the same time, our analysts pulled data from Microsoft Sentinel, looking for shared indicators of compromise across client environments.

Having had some time to review what the client was receiving fully, we regrouped to discuss. It was identified that all the spam emails were originating from a single mail server hosted in Google Cloud Platform, with varying domains and users, each time fully qualified and marked with records such as DKIM, SPF, & DMARC. Normal phishing controls would be more lenient with such emails due to their apparent authenticity, so we needed an alternative to protect ourselves going forward.

After a short discussion, we came to a solution:

Bryan implemented tactical mail-flow blocks, stopping any further communication from the domains utilised by the attacker. We reviewed the domains in use and accepted the risk blocking genuine domains would have on the client’s businesses. However, security must come first and we were not prepared to take a risk and wait for the inevitable.

In addition, Joshua reviewed Microsoft Teams configurations to ensure lateral movement couldn’t happen through chat-based channels — a newer tactic we’ve seen in recent campaigns. This was the tactic we suspected would come next.

What Are Mail Flow Controls?

Think of it like the Royal Mail sorting through your post and sending it through checks or scanners to find anything harmful. Mail flow controls allow you to define who you don’t want to receive mail from.

I alerted our client’s Senior Leadership Team with a clear, jargon-free update. Transparency is critical in these moments. We don’t just fix — we explain, advise and reassure.

At 14:35, I issued an internal comms update to all users, helping everyone understand what had happened, what had been done and what to look out for.

Why Communicate During An Incident?

Visibility reduces panic. Keeping stakeholders informed builds trust, aids prevention and ensures coordinated behaviour across the organisation.

• Staff need to know what’s happening and what not to do
• Leaders need timely updates to inform decisions
• Silence causes confusion and confusion causes risk

That’s why CyberOne always keeps stakeholders in the loop.

We confirmed that, thanks to early detection and rapid containment, only a limited number of users and organisations were affected.

Payloads were reverse-engineered. Our Incident Response Practice Lead, Dan, confirmed that the links weren’t directly malicious on-click but were designed to lure users into login portals that mimic real Microsoft ones. In other words, this was a social engineering attack.

What is Social Engineering?

This is when attackers target people, not just systems. They use manipulation, like fear, urgency or curiosity, to get users to click a link or share info. It’s not a technical hack — it’s a psychological one.

I briefed the senior leadership team again, with a recommendation to roll out preventative measures to all clients. This wasn’t just a single-tenant issue but a lesson in proactive defence.

Joshua, our Senior Cyber Security Engineer and Dan deployed a tailored detection rule across all customer environments via Hyperion. This wasn’t just about fixing the issue for one client — this is how we protect everyone in the CyberOne ecosystem.

What is Hyperion?
Hyperion is CyberOne’s proprietary detection engine — a constantly evolving library of custom Sentinel rules, SOC playbooks and automated responses built from real-world incident intelligence.
When we detect a new tactic or technique, we don’t just fix it for one client.

We use Hyperion to roll out pre-emptive defences to every environment we manage. It is shared protection at scale — instantly. Because of this approach, what we learned in one tenant now safeguards all other clients automatically.

At the same time, an all-staff summary of the event was distributed, reinforcing our commitment to full transparency throughout the incident lifecycle. Keeping users informed doesn’t just build trust — it reinforces a shared sense of responsibility and empowers staff to participate in the organisation’s cyber resilience actively.

But communication alone isn’t enough. At CyberOne, we focus on closing the loop — ensuring every incident ends with a complete review, reflection and response plan. This means:

• Everyone knows what happened
• Everyone understands what was done
• And (where appropriate), everyone learns how we’ll prevent it next time

Because of this approach, a single localised threat became a proactive protection point for every client we support — and a powerful learning opportunity for everyone involved. That’s the CyberOne difference: every alert makes us stronger.

End-to-End: from first advisory to full environment-wide protection in under 3 hours.

With the immediate threat neutralised and all preventative measures in place, we held a final incident wash-up session — a critical part of our SOC maturity model.

This included:

• Reviewing the full timeline of detection, escalation and remediation
• Logging any gaps in controls or tooling
• Identifying opportunities to improve communication, automation and detection coverage
• Assigning follow-up actions for tuning and Hyperion rule refinement

Every incident is also an opportunity to strengthen. We treat learning as part of the containment process because resilience isn’t a fixed state; it’s a continual evolution.

What Went Well

• Speed: Rapid escalation and containment within minutes of threat detection
• Depth: Multi-analyst, multi-layered investigation with full reverse engineering
• Protection: Rule deployment across the full customer estate to prevent recurrence
• Communication: Clear, proactive updates to staff, SLT and clients throughout
• Strategic Reach: Risk is elevated and handled across all clients, not just the origin site

This wasn’t just a successful incident response but a real-world demonstration of our cyber defence. Our clients rely on us for more than alerts; they expect:

• Swift Containment
• Informed Decisions
• Real Risk Reduction

And with our SLA-backed Assure 365 service, that’s exactly what we deliver — every single day.

Ready to protect your business like this? Let’s talk!

Webinar | AI & Human Intelligence: The Best Defence Against Cyber Threats

📅 Thursday 1st May | 🕙 10:00–11:00

74% of senior leaders agree that AI-powered threats now pose a significant challenge for their organisation. And in 2025, those threats are evolving at an alarming pace.

AI-driven threats are evolving fast — from deepfake voice scams to real-time spear phishing and adaptive malware. But the same technology can power your defence.

Join CyberOne for a high-impact session on how AI, combined with expert human insight, is transforming cyber defence in 2025.

Register Now ►