When Michael received an urgent email from his boss at 9pm on Thursday, he know he needed to respond immediately. It was a mistake in the end-of-quarter report which had to be fixed. He logged in to what he thought was the company SharePoint site, but it seemed like the link to the report was broken. Frustrated, he just replied to the boss and asked him to re-send.
He did not know, of course, that his credentials (including his multi-factor authentication token) were intercepted by a threat actor, and then immediately used login to one of the corporate applications. It took the threat actor just 20 minutes to obtain initial execution, move to company’s domain controller, and then get full domain access. Another 4 hours were spent exfiltrating business-critical data and wiping all cloud backups. After midnight, the endpoint protection software was disabled, and customised ransomware payload had been rolled out to all cloud servers.
The security team received notifications only at the very final stage of the attack, and spent next week negotiating ransom, blaming security vendors and running pointless searches in their SIEM.
Join our live webinar on 9th of December, when we will demonstrate how sophisticated threat actors evade defenses, and also will discuss what businesses can do when their prevention tools fail.