We're really excited to share a feature of one of our security solutions (that we had almost forgotten about) that WOWed us and saved our customer heartache..
What happened..
Last week, one of our customers faced a serious security threat when a mailbox was compromised due to a credential-harvesting phishing attack. This particular attack was sophisticated and difficult to detect for several reasons. The phishing email slipped past our partner Avanan’s Anti-Phishing solution primarily because it originated from an external business contact the recipient had been legitimately communicating with for some time. The high trust score built from their ongoing relationship allowed the email to pass undetected.
Unfortunately, the external contact's account had been compromised, and amidst their normal email exchange, the threat actor sent a phishing email from the compromised account. The email contained an attachment disguised as a legitimate document. Instead, it was a credential-harvesting website designed to steal login details.
These kinds of attacks are all too common. While we always advise our customers to adopt a layered security approach—utilizing multiple lines of defense, including strong multifactor authentication (MFA)—it only takes one human mistake to compromise even the best security systems. In this case, the recipient was tricked into opening the attachment, entering their credentials, and, unfortunately, also accepted an unexpected MFA prompt shortly after.
Once the threat actor gained access to the mailbox and the broader MS365 account, this could have easily escalated into a major incident, with potentially devastating financial and reputational consequences for our customer. Under normal circumstances, this is where the damage would begin, but in this instance, Avanan had a final line of defense that saved the day.
Avanan’s Secret Weapon: Anomaly Detection
Avanan’s protection doesn’t stop with filtering emails—it goes a step further with its Anomaly Detection engine. This powerful feature monitors user activity and behaviors, automatically identifying any actions that appear unusual based on the organization’s and user’s historical patterns. When something seems off, such as unexpected email rules being set or abnormal login locations, Avanan quickly flags it for review.
In this case, after the threat actor gained access to the mailbox, they created a rule to divert emails into a rarely used "RSS Feeds" folder—a tactic designed to keep their activities under the radar. Avanan’s Anomaly Detection engine spotted this unusual behavior, immediately raising the alarm for our team.
Immediate Response and Remediation
As soon as the alert was triggered, we swiftly blocked all access to the compromised mailbox and initiated our investigation and remediation process. Thanks to Avanan’s timely alert, we were able to prevent the attacker from using the mailbox for any malicious actions and helped the customer securely regain control of their account.
Why This Matters for Your Business
This incident highlights the importance of not only having strong perimeter defenses like email filtering but also the necessity of continuous mailbox monitoring for suspicious behavior. Even when sophisticated phishing emails make it through, Avanan’s advanced monitoring and automated alerts can act as a critical safety net, stopping threat actors before they can cause serious harm.
If you're already using our email security solutions, this is a reminder of the value it brings beyond basic email filtering. And if you're not, now is the time to consider enhancing your email security with a solution that doesn't just react to threats but actively prevents them from escalating.