Cyber Security Case Studies

Office 365 Business Email Compromise Investigation Leads to Stronger Security

/en/our-team/devon-ackermanDevon Ackerman

Devon Ackerman

Client problem

A supervisor at a financial services company received an email request from a business associate. Despite recognizing the request was somewhat out of character, she clicked on a link in the email. Four days later, she discovered her computer was sending out a vast number of emails. Worse yet, the supervisor routinely works with sensitive personally identifying and financial information, and often communicates this information to other financial institutions.

In the meantime, the employee’s manager received a call from one of the company’s major clients saying they had received a strange email from this employee and it could be malicious. The manager immediately called her company’s data security hotline. After some initial investigation, the company’s external counsel was contacted to assist with a possible business email account compromise.

How Kroll resolved the problem
  • Upon being engaged by the client’s counsel, a Kroll forensics specialist immediately began analyzing the supervisor’s account remotely. 
  • Kroll confirmed the account had suffered unauthorized access for approximately four days, and that the attacker had relocated emails of interest to a benign subfolder of the supervisor’s email account – the “RSS feeds” folder. 
  • Kroll then reviewed the actions of the attacker to identify search terms that included W2, invoice, ACH, wire transfer, and payment, which allowed Kroll to understand a likely motivation of the unauthorized actor(s).

Delivering results
  • Kroll remediated the immediate threat and worked with the client to restore the supervisor’s account to a clean state.
  • When the cyber insurance provider who covered this event subsequently notified the manager of an increase in premiums and deductible, the manager launched an intensive employee awareness and training program and sought Kroll’s help to strengthen their systems.
  • They asked Kroll to test the program’s effectiveness by conducting a controlled phishing campaign.
  • The client was able to negotiate a new policy for more coverage at less cost.  

Don’t wait until a crisis. Kroll can help you better safeguard your data and strengthen your O365 environment today. Learn more here.

 

 

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Service Link

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Service Link

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Service Link

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Service Link

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Service Link

Kroll is headquartered in New York with offices around the world.

55 East 52nd Street 17 Fl
New York NY 10055
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top