At Solis, we provide 24/7 monitoring to detect and respond to threats before they cause damage.
Learn how proactive monitoring can secure your organisation
The incident
It was 6pm on a Thursday evening. An email had just arrived in an employee’s inbox with the subject line ‘Owen shared a file with you’, The email included a link to a shared file, with a name referencing a recent project.
For a moment, the employee hesitated. They hadn’t been expecting any files, but, then again, it wasn’t unusual for files to be shared in similar ways, and the email address was definitely correct.
Should they call the sender, to confirm the email was authentic, or maybe send it to IT for a quick-once? But it was getting late and the employee hurrying to clear their desk ahead of annual leave the next day. They took a final glance at the email, moved their cursor over it, and clicked the link to the shared file.
What the employee didn’t realise was that the sender’s account had been compromised by a threat actor a few days before. Having clicked that link, they too were just a couple of steps away from having their own account compromised, something that would ultimately lead to their employer losing thousands of pounds.
The response
A few days after the breach, Solis was contacted by the affected company, our client, to carry out an investigation into the compromise. Our analysis identified that the shared document was hosted within a genuine Microsoft SharePoint site, and that the document included a second link which, when clicked, opened a Microsoft login page. Unbeknownst to the targeted employee, this login page was actually an ‘adversary-in-the-middle’ server designed to mimic, capture, and relay login credentials and session tokens issued during a genuine Microsoft login process.
Our client shocked by what we had found. All of its users had multi-factor authentication (MFA) enabled for Microsoft 365. The client had assumed this would provide sufficient protection. It turned out they were wrong. Attacks like this one have become increasingly common recently, and have made MFA a lot less effective in safeguarding accounts.
The solution
Our client wanted to know how they could have stopped this happening? This is where proactive monitoring of the environment becomes crucial for detecting and preventing such compromises.
While the threat actor appeared to have accessed the account in a stealth manner, there were actually a number of indicators within log files that revealed that the account had been compromised.
Firstly, the sign-in logs for the employee’s account showed IP addresses from outside of the UK. The logs also revealed unusual mailbox rules created by the threat actor to conceal incoming emails from the legitimate user. And then there were suspicious consent grants for third-party applications, which the threat actor had used to access the account.
Of course, reviewing logs for an entire Microsoft 365 tenant can be challenging, especially for organisations with large numbers of users. In this case, the client’s IT team simply lacked the capacity to undertake such comprehensive monitoring. This is where leveraging specialised tools that can monitor and apply tested algorithms to alert a dedicated cybersecurity team becomes immensely powerful.
At Solis, we offer our clients 24/7 protection by deploying robust monitoring tools, which use powerful algorithms to identify anomalies. These are then flagged to our experienced cyber security professionals for review. This service, not only alerts our clients to any unusual activity, but also triggers immediate preventative action to lock accounts suspected of being compromised by threat actors.
Want to know more about how proactive monitoring could make your organisation more secure? For more information contact us at enquiries.uk@solissecurity.com
