I was approached by the Head of IT for a 70-something person company via LinkedIn, wanting an independent review of their environment. I thought sure, let's talk to go over the details. This guy's company had an IT infrastructure of the future; the most well-prepared lead I had ever dealt with! Everyone in the company worked from home, connecting through a remote desktop, MFA was turned on for everyone, and they were all managed by Azure Active Directory (AD). On top of all that they already had tools* to monitor their environment. This was going to be the quickest and easiest review I had ever done! 😁
Once they gave us an instance of their remote desktop, I logged into their Azure portal, checking sign-in logs via Azure Active Directory. Holy cow, the Head of IT's account was under attack every 17 seconds!!! A brute force attack was swiftly underway in Indonesia, now attempting a breach on all of the company's users.
The CEO of a 45-person company approached us while one of their employees' email credentials were breached. The hijacked account was sending hundreds of spam emails to everyone in the company's contact list; employees, partners, and their customers! Within the hour, the Office Manager was getting calls, in which they responded with their new script, "are you calling because of some emails this morning?". Not a script you want using when talking to your customers...
So we got on the phone with their CEO and their Director of IT. "We had Multi-Factor Authentication (MFA) setup so how could this have happened", they said. My initial thought was that this sounded weird. If MFA was on and someone breached the account having both the credentials and access to the cell phone, we'd be dealing with a serious intruder. So I asked,