Respond

One click, ten thousand targets

Containing a spear phishing attack that weaponised a marketing contact list

Business contacts protected
Thousands
Account confirmed as isolated compromise
1
Phishing URLs blacklisted with Google and Microsoft
Multiple

The situation

The head of marketing at a professional services organisation fell victim to a sophisticated, targeted spear phishing attack. The attacker gained unauthorised access to the executive’s Microsoft 365 account, which contained thousands of business contacts accumulated over years. Those contacts were then targeted in a coordinated phishing campaign sent from the compromised account.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Forensic examination of the O365 environment revealed the full scope of the compromise. The attacker had accessed the marketing executive’s account and harvested the contact list to launch a secondary phishing campaign at scale. NDF mapped the breach progression from initial compromise through to the outbound phishing messages, identifying exactly which data had been accessed and which contacts had been targeted.

How we responded

NDF worked alongside the organisation’s managed service provider to contain and remediate the incident:

  • Deployed advanced forensic tools to examine the O365 audit logs and mailbox activity
  • Mapped the complete breach timeline from initial access through to the phishing campaign launch
  • Identified stolen data and confirmed the scope of contact information exposed
  • Contained the spread by securing the compromised account and blocking further unauthorised access
  • Coordinated with Google and Microsoft to blacklist the phishing URLs used in the campaign, preventing further victims across the internet

The outcome

NDF confirmed that the intrusion remained isolated to the single compromised account. No lateral movement to other accounts or systems was identified. The phishing infrastructure was dismantled through coordination with major platform providers, and the organisation was able to notify affected contacts with a clear understanding of what had occurred.

Lessons for similar organisations

  • Marketing accounts are high-value targets. Accounts with large contact lists give attackers a trusted sender identity and a ready-made distribution list. These accounts warrant additional protections such as phishing-resistant MFA.
  • Speed of response limits blast radius. The faster a compromised account is identified and secured, the fewer secondary victims the attacker can reach.
  • Platform coordination is essential. Working with Google and Microsoft to blacklist phishing URLs prevents the attack from spreading beyond the initial target organisation.