Accessincidents

Work

Incident Reports

Dec 2025·T1204.002 · ExecutionHIGH

Malware — Trojan Dropper Masquerading as PDF Utility

Defender quarantined a signed dropper disguised as a PDF utility updater. VirusTotal: 30/72 engines. Cert signer: RED ROOT LTD. Traced execution chain, hunted the hash estate-wide, and confirmed no C2 callback.

MalwareEndpointDefender
Outcome
Quarantined
No C2 observed
Full remediation confirmed
Open report
Filter:
Dec 2025MED
T1566.002 · Initial Access

Phishing — LOTS Platform Abuse with KYC Lure

Threat actor abused a legitimate SaaS document platform to send spearphishing emails to two named employees. LOTS pattern — sender domain passes reputation checks. RF Score 15 on attacker IP.

PhishingLOTSSpearphishingEmail
Both emails deleted · Zero clicks · No compromise
Open report
Oct 2025MED
T1098.001 · Persistence

OAuth Consent — Persistent Mailbox Access Granted

User granted Mail.Read + Offline_access to a third-party AI app. Offline_access creates a persistent, MFA-bypassing refresh token. Consent IP confirmed as legitimate user action, not consent phishing.

OAuthIdentityEntraM365
Access revoked · Policy review initiated
Open report
Feb 2026MED
T1553.002 · Defense Evasion

C2 Incident — Revoked AnyDesk Certificate (17 Endpoints)

Isolated Defender alerts occurring at different times of day prompted a targeted hunt, uncovering 17 total endpoints executing AnyDesk v7.0.0. The binary was signed with a compromised certificate from AnyDesk's Jan 2024 incident. No external connections established.

C2EndpointCertificateDefender
Processes blocked · Network-wide scan complete · Advisory issued · No compromise
Open report
Dec 2025MED
T1078.004 · Initial Access

Identity — 7-Property Anomaly (No Device ID)

Service account sign-in with zero baseline history, no Device ID, and all 7 unfamiliar sign-in properties simultaneously. No self-remediation event. Escalated as caution — account disabled.

IdentityEntraService Account
Account disabled · Precautionary containment
Open report
Dec 2025MED
T1562.001 · Defense Evasion

Mobile — Rooted Android Device on Corporate MDM

Defender MTD detected a rooted corporate-enrolled Android device via Play Integrity API. Device removed from corporate network within 32 minutes. Root cause (intentional vs malware-induced) flagged for follow-up.

MDMAndroidIntuneMobile
Device removed · 32m response · Factory reset recommended
Open report
Dec 2025MED
T1566.002 · Initial Access

Scareware — Azure-Hosted Tech Support Scam

DFO365 quarantined an email containing an Azure Blob Storage-hosted scam page. Sandbox confirmed browser-locking JavaScript, fake Windows security alerts, and a fraudulent UK support number.

MalwareEmailAzureScareware
Quarantined at delivery · Zero user interactions
Open report
Dec 2025MED
T1566.002 · Initial Access

Simulation — Full Phishing Triage Prior to Disclosure

User-reported email with credential-harvesting URL on .tz ccTLD (sandbox confirmed). Full triage completed before client confirmed it was an authorised awareness campaign. Correct approach validated.

PhishingEmailM365Simulation
Email deleted · URL blocked · Campaign whitelisted
Open report
Nov 2025MED
T1110.001 · Credential Access

Identity — Foreign IPv6 Sign-In Blocked (Pakistan)

Sign-in attempt from Pakistan IPv6 blocked by Conditional Access (Invalid Password). Partial prior Pakistani baseline complicated analysis — independent AADUserRiskEventsTable flag drove escalation.

IdentityEntraConditional Access
Account disabled · Two-layer block confirmed
Open report
Dec 2025MED
T1078.004 · Initial Access

Identity — Egypt VPN Sign-In (SLA Gap documented)

Egyptian IP (TE Data / AS8452 — VPN exit) against a 100% London baseline. Probable VPN, but escalated as caution. Six-day client response delay is the primary operational finding.

IdentityEntraVPNConditional Access
Session revoked · Password reset · SLA gap documented
Open report
10 incidents · 1 high severityAll cases anonymised · Real investigations