What happened
In November of 2024, the owner of a large, Brampton-based company in the retail sector received an email with a link to a Microsoft login page. After clicking the link, he was prompted to enter his email address, password, and Multi-Factor Authentication (MFA) code.
MFA is a cybersecurity measure that sends a time-limited code to a verified device and asks users to use that code in combination with their password when logging in. It is designed to make it more difficult for bad actors to access your account–in theory a bad actor can find out your password, but how can they get the MFA code from the phone you’re holding in your hand?
Shortly after the Company Owner successfully logged in, the Tech Team at BSC Solutions Group received a cybersecurity alert.
What really happened
The Company Owner had been phished.
Phishing is a type of email-based cyberattack where bad actors attempt to trick users into revealing sensitive information–like passwords or credit card credentials.
When the Company Owner opened the link in the email, he thought he was going to a legitimate Microsoft page–the page looked nearly identical to ones he had seen before. But it was a fake login page that the bad actors had created to trick users.
When he entered his login credentials and MFA code into the fake login page, the information was sent directly to the bad actors who were (quickly) able to login with the stolen credentials.
What happened next
As soon as the bad actor logged in, an alert went out to the Tech Team at BSC. In addition to MFA, the Company Owner’s account is protected by threat monitoring software that watches accounts for suspicious activity.
When the bad actors logged in, BSC’s threat monitoring agent immediately recognized it as suspicious and flagged the account. Within minutes, the BSC Tech Team reset the account to lock out the bad actors. The Tech Team verified in the audit logs that no sensitive data had been accessed. They called a verified phone number to verbally confirm the situation with the Company Owner and walk him through re-setting his account credentials.
In the end, the bad actor’s phishing attack was able to get around the Company Owner’s password and MFA. But the additional layers of protection did their job and kept the bad actors from accessing anything valuable.
Key takeaways
- Sophisticated attacks: When you see an example of a phishing attack isolated in a case study like this, it seems obvious that the email was a fake. But the bad actors use increasingly sophisticated tools to create messages that are designed to not be noticed when seen in the wild.
- Layers of protection: MFA is a great tool for keeping accounts safe and should be considered a baseline security measure. But it is not foolproof–nothing is. In this case, as with many others, it took multiple layers of defense to trip up the bad actors. When it comes to cybersecurity, the name of the game is reducing risk.
- Educate Employees: Phishing attacks are designed to trick users. Regular training to help employees recognize phishing attempts can significantly reduce the risk of phishing attacks.
- Everyone is a potential target: Company owners often have access to the entire company network. They are also often the first name that comes up when someone researches the company. This makes them an easy and high-value target for phishing attacks. When we talk about “staff cybersecurity training”, it’s easy to imagine that it only applies to employees and not owners. But anyone with access to the company’s network is a target and should know what threats are out there.
