Charity utilises MFA following a cybersecurity breach: Case study  

Our helpdesk received a call from a user who was working for one of our charity clients, when they unwittingly became the victim of a cybersecurity breach while at work. Malicious emails were being sent out in bulk automatically from the user’s email account to all known contacts in their work mailbox. Following a quick investigation, it was determined the user had clicked on a link in a phishing email and typed in their credentials to a webpage which had allowed the attackers to access the user’s cloud email account. 

On learning of the breach, our cybersecurity response team immediately stopped the emails being sent and reset the user’s password. In less than 10 minutes of logging the call, the account was locked down to prevent further damage. Our Team then connected to the cloud email tenant and ran a few global checks to diagnose how the breach had begun and who had been sent the malicious email. These checks included. 

  • Inbox rule checks (to see if rules had been created to process replies to the outgoing message) 
  • External forwarding checks (to ensure emails weren’t being forwarded to the malicious actor) 
  • Message trace reports 

After a thorough investigation, our team found that the malicious email had also been sent internally. We ran an “eDiscovery” function which went through all users’ inboxes and deleted this email from their accounts. Our team then contacted our primary contact at the Charity and the user in question and sent across a full report to let them know what had happened and why. We were then able to allow the user safely back into their account. From logging the call to completion of the senior consultant’s investigation and the user’s account being cleared and available for use , took just 3 and a half hours.    

This particular breach was via cloud access and single factor authentication, which means all that was required to access the user’s email was a username or password. If Multi-factor authentication (MFA) had been enabled for the users, this breach would have been prevented. MFA introduces a second component, often a PIN code that can only be generated by a mobile phone or an access token, meaning that for a malicious user to gain access to a system, they would need to steal not only your password information but also your mobile device – making it significantly harder for access.  The next step was of course, to roll out MFA for the charity to prevent future breaches of the same nature. 

ramsac Multi factor authentication blog

Protect your business with MFA

Passwords alone are no longer sufficient to protect an organisation from cybercrime. Find out how Multi-factor authentication can protect your organisation.

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?

ramsac team members 20211019 219797 RT.min