Investigations

What we found, when nobody else looked.

Anonymized writeups from real engagements. Every detail that could identify a customer has been stripped — but the patterns, the failure modes, and the fixes are exactly what landed.

Anonymization policy: no vertical, no geography, no employee names, no exact timestamps, no organization names.

July 03, 20267 min readbecpersistencem365incident-response

706 attacks. Five months. Two mailboxes.

A Microsoft 365 BEC campaign ran for 5 months and 706 attacks against two finance mailboxes. The inbox rule that exposed it, the SIEM blind spot that hid it.

706Coordinated attacks against two mailboxes over 5+ months

June 30, 20264 min readaitmconditional-accessm365sessions

Eighteen seconds between two continents.

How a Microsoft 365 Conditional Access geo block silently fails when the attacker brings their own session cookie, and the policy change that closes the gap.

18 secondsBetween two sign-ins on the same account from two continents

June 26, 20265 min readbecemailm365persistence

Five inbox-rule patterns we see every week.

Five Microsoft 365 inbox-rule patterns that signal BEC persistence and survive every password reset, with the 30-second mailbox audit that surfaces each one.

5 patternsEach one is a BEC-compromise tell

June 23, 20264 min readidentityprivileged-accessm365audit

The ghost admin: seven roles, zero MFA.

A forgotten .onmicrosoft.com account became the highest-blast-radius credential in a Microsoft 365 tenant nobody watched, holding seven roles and zero MFA.

7 rolesHeld by one account with zero MFA factors registered

June 20, 20266 min readaitmm365siemincident-response

One year of dwell. 91 alerts. Nobody looked.

How a default SIEM connector hid a Microsoft 365 AiTM compromise for twelve months, and the one configuration change that surfaced every victim in the tenant.

12 monthsMedian dwell time when nobody is reading the CA-policy logs

Run the free Envyously Risk Score →

Six minutes via OAuth · no credentials shared