Our Teachable Moment: The Day We Got Caught in a Phishing Attack

No organization wants to admit it happened to them—but transparency, growth, and resilience begin with humility. At Alliance Cyber, we recently faced a sophisticated phishing attack that exercised every layer of our defenses. While we’re proud of how our team responded, this incident also reminded us that even seasoned cybersecurity professionals aren’t immune to the evolving tactics of cybercriminals.

We’re sharing this experience not only to strengthen our own community, but to offer a valuable lesson for others—especially our clients, peers, and federal partners navigating similar threats.

How It All Started: The Hook

It began like many phishing campaigns do—with a seemingly routine email. The subject line was ordinary. The sender? A trusted contact. And the attachment? A link to a cloud-hosted document labeled something like RFI.pdf—harmless on the surface.

But that PDF was anything but safe. It contained a link redirecting to a convincing fake OneDrive login page. The page gave the impression that the victim needed to log into a shared document repository to see the file. One of our team members, unknowingly, entered their credentials. And just like that, the door was open.

To make matters worse, the attackers bypassed Multi-factor Authentication (MFA) using a “Direct Send” feature in Microsoft Exchange Online—a stark reminder that traditional MFA isn’t always enough on its own.

The Attack Unfolds: Subtle, Smart, and Silent

Once inside, the attackers moved fast. Their scripts accessed the compromised user’s email and made subtle changes to the email signature—altering just a single digit in the phone number to redirect communication. They also created hidden inbox rules to silently archive replies, keeping the victim completely unaware.

What made this attack especially dangerous was its authenticity. The malicious emails came from known accounts, passed SPF/DKIM checks, and contained real-looking documents—even a legitimate IRS 1040 form in one case to build trust. The attacker’s tactics aligned almost perfectly with those outlined in CISA’s Phishing Guidance: urgency, spoofed email signatures, and hijacked trust.

Using Outlook Web Access (OWA), the threat actor continued operations without any signs in the desktop client. Automated replies and follow-up phishing messages were sent to others using scraped address lists—amplifying the impact.

The Turning Point: Human Vigilance

Our breakthrough came not from a detection system—but from a sharp-eyed team member who noticed something just didn’t feel right. A tiny discrepancy in an email signature raised a red flag.

That small detail set off a chain reaction.

  • We immediately disabled the compromised account.
  • Passwords across the organization were reset.
  • Mailbox rules and login activity were reviewed.
  • External contacts who may have received spoofed messages were notified.

We also observed that the attacker was attempting to log back in every 20 minutes, confirming this was a scripted campaign.

Lessons We’re Taking Forward

Every cyber incident—whether it results in harm or not—carries valuable lessons. Here are ours:

1. Phishing Isn’t Just Misspelled Words Anymore

These attackers were smart. Their emails passed technical checks, used familiar names, and presented legitimate-looking documents. Today’s phishing isn’t amateur—it’s engineered for success.

2. Tiny Signature Changes Can Have Big Impact

A single-digit change in a phone number almost flew under the radar. Training your team to spot the subtle is just as critical as spotting the obvious.

3. Email Rules Can Be a Weapon

Automated inbox rules allowed the attacker to hide replies and buy time. Regular audits of mailbox settings are essential.

4. OWA Can Mask Malicious Activity

Because the attacker used web access, there were no telltale signs in the Outlook desktop app. Relying on endpoint visibility alone isn’t enough.

5. People Are Still the Best Defense

Despite all our tools, it was a vigilant employee who broke the attack chain. That kind of awareness is priceless—and it needs to be nurtured across every organization.

6. MFA Is Important—but Not Infallible

Session hijacking and token theft can undermine MFA. Consider moving toward phishing-resistant methods like FIDO2 security keys or certificate-based auth.

What You Can Do to Stay Safer

If you’re a small business, federal contractor, or nonprofit—we’ve been in your shoes. Here’s what we recommend:

Basic Best Practices

  • Don’t trust—verify: Independently confirm unexpected requests, even if they seem to come from known contacts.
  • Train your team regularly: Teach employees to spot phishing red flags like urgency, signature inconsistencies, and odd timing.
  • Audit inbox rules and forwarding settings frequently.
  • Have a clear incident response plan and test it regularly.

CISA-Endorsed Technical Controls to Implement Now

In alignment with CISA’s March 2025 guidance, we recommend deploying these layered defenses:

  • Enforce DMARC with a “reject” policy, along with SPF and DKIM, to block spoofed email messages before delivery.
  • Upgrade to phishing-resistant MFA, such as FIDO2 security keys or certificate-based login systems.
  • Enable protective DNS filtering to block access to known malicious domains.
  • Implement Remote Browser Isolation (RBI) to sandbox link clicks without exposing internal systems.
  • Use application whitelisting and block high-risk file types and macros by default.
  • Remove local admin rights from everyday users and use separate accounts for administrative access.

Closing Thoughts

This event reminded us that cybersecurity is never “finished.” It’s a continuous process of learning, adapting, and staying one step ahead. We’re proud of how our team responded—but even prouder that we can turn this challenge into a shared learning opportunity.

If you’re wondering how ready your organization is—or if you’d like to test your defenses—we’re here to help. Because in the world of cybersecurity, the only mistake bigger than falling for a phish is staying quiet about it.

Need a security checkup or phishing training?
Contact Alliance Cyber for a risk assessment or to schedule a teachable moment of your own.

Similar Posts

PhoenixTS and Alliance Cyber Announce Strategic Partnership to Deliver Comprehensive Training Services Nationwide
|

PhoenixTS and Alliance Cyber Announce Strategic Partnership to Deliver Comprehensive Training Services Nationwide

Byalliancecyberinc

PhoenixTS, a leading training provider, and Alliance Cyber, a full-service cybersecurity compliance solutions provider, today announced a strategic partnership to deliver a suite of comprehensive on-site and remote training services across the nation. The partnership combines PhoenixTS’s award-winning training capabilities and Alliance Cyber’s expertise in cybersecurity, bringing together over 20 years of industry experience. Their…

Celebrating AANHPI Heritage Month: Honoring Our Roots, Empowering Our Future
|

Celebrating AANHPI Heritage Month: Honoring Our Roots, Empowering Our Future

Byalliancecyberinc

May marks Asian American, Native Hawaiian, and Pacific Islander (AANHPI) Heritage Month, a time to honor the rich tapestry of cultures, histories, and contributions that these communities have woven into the fabric of the United States. Originating as a week-long observance in 1978 and expanded to a month in 1990, this celebration recognizes the vital…

Alliance Cyber Garners Second National Award in as Many Months
|

Alliance Cyber Garners Second National Award in as Many Months

Byalliancecyberinc

Cocoa, FL – October 2025 — Alliance Cyber, a Service-Disabled Veteran-Owned Small Business headquartered on Florida’s Space Coast, has done it again. Just weeks after its founder and president, Alec Hall, was named the National Small Business Vetrepreneur of the Year by Military Friendly®, the company has captured another major national honor—being recognized by the…

The Hidden Inbox: What Parents Need to Know About Messaging Inside Everyday Apps
| |

The Hidden Inbox: What Parents Need to Know About Messaging Inside Everyday Apps

Byalliancecyberinc

A parent sees their child working on a school project in a design app and assumes everything is fine. No social media. No texting. No obvious chat window. But hidden inside that same project may be a comment thread, a shared file, or a collaboration feature that allows private conversation. In one recent Jacksonville case,…

Leave a Reply

Your email address will not be published. Required fields are marked *