You’ve Not Got Mail

Take It From the Top

“Our first clue was a notification from Huntress,” says Bryan Heindel, director of IT at Stamm Tech in Milwaukee. “It was only our first week of rolling out its Managed Identity Threat Detection and Response solution when it flagged a client account for a battery backup seller.”

It wasn’t just anyone’s account, either.

“It belonged to the CEO of that company,” Heindel elaborates. “There had been some suspicious activity: namely, some inbox rules had been created, redirecting senders to the RSS feeds folder and specifically to two bank domains.”

The direction of travel was evident – and frightening. Heindel knew they had to act fast.

‍

‍

“One of our team members quickly reached out to let them know and discuss next steps,” he says. “They were advised to go through their logins, check their access points, and reset their passwords. Thankfully, Huntress was able to clean up the rules automatically. All in all, the downtime only amounted to about an hour at most, as we worked to reestablish multi-factor authentication (MFA) and clean up any additional MFA devices that weren’t recognized.”

The coast was clear, right? Not quite. As the pair continued talking, a curious picture was

starting to emerge.

“The more the CEO thought on it, the less isolated the incident seemed,” says Heindel. “They mentioned that physical mail had also coincidentally been going missing. It was then that they had a scary realization: they hadn’t received any mail from their bank for weeks.”

‍

On the Money

The client immediately got in touch with their bank. Sure enough, a storm was brewing.

“They discovered that there had been attempts to add an authorized user to their bank account,” Heindel says. “From there, wire transfers could have been made. Even obtaining a login to the banking site would have allowed the attacker to zero in on other aspects of the business, or access other tools and services. Had we not contacted the client, they wouldn’t have made the connection. Things likely would have got much, much worse.”

Did Huntress’ initial detection just foil a wider extortion plot? Heindel certainly believes so.

“We had no concept of how deep this went,” he says. “How could we? We were just talking about mailbox rules! But it wasn’t a simple case of an account being infiltrated and spam being sent, it was far more coordinated than that. It could have done serious damage. Who knew what else they could have gained access to?”

Even more alarming was the precision of the attack. Though Huntress had caught the attackers in the act before they were able to redirect via email, they had already managed that via physical mail.

“The criminals were concentrating on banks that the client used,” says Heindel. “It wasn’t just typical, generic bank addresses or email accounts. That information was known.

“Without Huntress, we wouldn’t have picked up on anything until the client was having far more issues,” he continues. “Its Security Operations Center (SOC) works around the clock, meaning even the smallest change or potential threat is detected. When we first spoke, they were experiencing some difficulties trying to sign in, thanks to Huntress’ early remediation efforts, but nothing else. They were surprised to hear from us at all. It was so subtle.”

Huntress’ Managed ITDR solution is specifically designed to identify behavioral signs, like creating suspicious inbox rules, helping detect malicious activity early. And with the full backing of the Huntress SOC, identities can be isolated as soon as suspicious activity is detected, so the attackers can’t do more damage. Plus, you can be notified of threats in a variety of ways – via ticketing system, email, automated call, or even a text message – to ensure you never miss anything critical.

“When someone calls and says they’re not getting any emails, then you know there’s a problem,” states Heindel. “But to be able to narrow it down to not receiving emails from two banking sites in particular? It could have been weeks before anyone was aware. Ours would have been a more reactive approach, as opposed to the proactive approach we were able to take.”

‍

‍

‍

“They were advised to go through their logins, check their access points, and reset their passwords. Thankfully, Huntress was able to clean up the rules automatically. All in all, the downtime only amounted to about an hour at most, as we worked to reestablish multifactor authentication (MFA) and clean up any additional MFA devices that weren’t recognized.”

‍

“Huntress flips the script on how we manage threats. You don’t need to be specialized in how the product works – any technician can take a look at what’s going on and it all makes sense. It really accelerates the resolution process: in this instance, the client was contacted in just five minutes, and back up and running in an hour."

‍

Target Acquired

What does Heindel take away from this close call?

“MFA isn’t bulletproof,” he offers. “It can be very beneficial, but it’s not the be-all and end-all in cybersecurity. It can be susceptible to attack. Just because MFA is enabled, it doesn’t mean that you can ease up on your protection. I’ve received tickets after the fact where Huntress had double checked something that had previously been resolved and reported that an additional iPhone was added on the same day for MFA detection.”

Huntress’ meticulous, 24/7 monitoring by dedicated experts, Managed Identity Threat Detection and Response, and a razor-sharp-focused remediation plan were key to fending off financial ruin for the client. This robust suite of capabilities strengthened Stamm’s overall security stack, integrated well with the company’s existing tools and, most crucially, didn’t call for labor-intensive attention from the team. There wasn’t time to analyze complex data.

“We were on SentinelOne for about four years before it became a challenge to sort through all the data,” explains Heindel, of the firm’s decision to adopt Huntress. “We were getting a lot of false positives, or worse, what seemed like false positives turning out to be very real positives requiring urgent attention."

“We began looking at alternatives. I’d been hearing about Huntress for a long time and when it came to deciding whether to add more features to SentinelOne or to switch products altogether, it just made more sense to switch, especially with the significant price difference.”

“Huntress flips the script on how we manage threats,” he summarizes. “You don’t need to be specialized in how the product works – any technician can take a look at what’s going on and it all makes sense. It really accelerates the resolution process: in this instance, the client was contacted in just five minutes, and back up and running in an hour.

“To have that kind of instant intel from a partner like Huntress, with very little doubt in its accuracy, is invaluable.”

‍