Welcome back to Stories from the SOC, our ongoing peek behind the curtain at CyberOne’s 24×7 Security Operations Centre.
This story is a sharp reminder that not all breaches begin with a stranger in a dark alley on the web. Sometimes, the threat rides in on the back of so meone you trust.
It all began with a familiar name and a trusted source — a genuine SharePoint link from a known contact. No typos, no misspelt domains, no sleight of hand. The catch? The contact’s account had been compromised and the link served as a gateway to malicious software designed to steal credentials.
And it worked.
Once the attacker had access to the user’s credentials, their global campaign began. Suspicious logins from across the US and UK triggered alarms. These weren’t clumsy brute-force attacks. The adversary employed a botnet — a decentralised network of infected machines — to obfuscate their location and behaviour.
What is a Botnet?A botnet is a group of infected computers controlled by a hacker. These devices, often everyday laptops or servers are used without their owners knowing. Attackers use botnets to: - Hide where they really are - Spread out attacks to avoid detection - Try to log in from many places at once In this case, the attacker used a botnet to simulate logging in from different countries, making it harder to spot the breach. |
Microsoft Sentinel lit up with multiple alerts: impossible travel, unusual Office activity, financial fraud indicators and more. 8 separate alerts fused into a single incident, thanks to machine learning and Microsoft’s Fusion technology, which correlates seemingly disparate signals into actionable threats.
Among the red flags:
This wasn’t opportunistic. It was a multi-stage attack with a clear goal: persistence and escalation.
What Is Fusion?Fusion is an AI-powered feature in Microsoft Sentinel that connects the dots between separate security alerts — even across different systems. Instead of treating alerts in isolation, Fusion looks for patterns that suggest something bigger is happening, like: - Unusual login behaviour - Suspicious file downloads - Identity or cloud-based threats In this case, Fusion helped turn a noisy set of alerts into a clear picture of a coordinated attack — faster than a human could. It’s like a digital detective working 24x7 to surface real threats from the noise. |
Once inside, the attacker behaved like a seasoned infiltrator:
What caught our attention most was the sequencing: reconnaissance first, then evasion. It's a classic move by more capable actors.
One of the incident’s biggest challenges wasn’t the technology — it was communication. Despite our rapid detection and escalation, obtaining contact information for the client proved difficult. Telephone calls rang out. Emails went unanswered.
The threat didn’t wait and neither could we.
CyberOne’s automated safeguards — including Microsoft Entra’s auto-block capabilities — locked down the compromised account. Later, with still no response, we took the difficult decision: implement mitigations proactively, even if it meant disrupting business operations.
As Head of Cyber Defence, we have to make a call to disrupt or leave clients vulnerable. We chose protection.
This experience reinforced a key lesson: traditional communication channels can fail when you need them most. That’s why we’ve introduced a new feature — Microsoft Teams Integration.
Here’s how it helps:
This isn’t just a tech upgrade. It’s a commitment to improving coordination, shortening response times and giving our clients more ways to stay connected when it matters most.
This case raised a crucial question: how prepared is your organisation to respond to a real incident?
Sadly, the answer for many is not very. Without a proper incident response (IR) plan, including clear roles, escalation paths and decision-making frameworks — even minor threats can escalate fast. We’ve had cases where our only available contact was “six beers deep at the pub,” potentially delaying critical actions.
Planning matters. Tabletop exercises matter. Knowing who to call and when is the difference between “contained” and “catastrophic.”
This incident reminds us that trust is the most exploitable vulnerability in the cyber world. The attacker didn’t spoof or manipulate. They used an actual SharePoint site and relied on real-world relationships.
Key Takeaways:
When the email comes from a real person in your network, your defences must focus on what happens next, not how it started.
Tools like Microsoft Entra’s automatic account lockdown and Fusion alerts are crucial when human response is delayed.
Every business needs a reliable, responsive IR plan. CyberOne can detect and alert — but clients must be contactable.
Prepare before it happens. Identify gaps in personnel, escalation chains and authority.
Don’t rely on one tool or control. Combine conditional access, endpoint protection, immutable backups and cloud app governance.
It’s easy to underestimate how quickly things could have spiralled — had we not acted immediately. Had CyberOne not automatically locked down the compromised account, the attacker would have had time to build footholds inside the environment quietly. That means:
This is why speed matters. Automation, when done right, isn’t about replacing people. It’s about buying them time. And in cyber defence, time is everything.
Whether it’s a link from your best client or an invoice from a familiar name, attackers know the easiest way in is through someone you already trust.
Our job. And yours. Is to make that journey harder at every step.
Cyber resilience doesn’t start with technology. It starts with assumptions. Assume compromise. Assume deception. And build your defence accordingly.
Until next time. Stay sharp. Stay suspicious and stay resilient.