Author: Mihir Bhanushali, Level 3 Security Analyst
It started off like any regular day in the SOC — coffee in hand, dashboards glowing, alerts trickling in. Then, bam! An escalation from a client: possible compromise. Classic Business Email Compromise (BEC), we thought. Easy.
As we dove in, more alerts started popping up - turns out, this wasn’t your everyday, run-of-the-mill BEC. This was something the SOC team hadn’t encountered before.
Our investigation uncovered a unique threat scenario that had us all double-checking our playbooks. The good news? The remediation was swift and satisfying, the Threat Actor was shown the door.
It started innocently enough: five users received an email from a very well-known third-party work management tool. Looks legit. Clean headers. Trusted platform. But - it came from a C-level exec.
At this point, everyone’s clicking before their coffee.
But here’s the kicker: it wasn’t really the C-level.
See, the Threat Actor got crafty. Leveraging the third-party platform’s flexibility, they created an account using the exec’s name, because of course they did. A little OSINT, a sprinkle of social engineering, and boom: a wolf in a productivity-sheep’s clothing.
And it worked. Out of five users, three clicked the link.
The link led to a PDF, because nothing says “trust me” like a document. But the moment they opened it, users were redirected to a slick credential harvesting page. The bait was set. The client initially rang the alarm for one compromised account.
Minutes into our investigation, we found not one, but two compromised users.What were the suspicious activities?
At first, it felt like another routine day in the SOC - the Threat Actor had slipped in using familiar tricks, nothing the team couldn’t squash before lunch.
One of the compromised users? No big deal. Activity was minimal, and we managed to remediate quickly.
But then there was User 2. Ah yes, the overachiever in the incident timeline. Their logs weren’t just noisy, they were a full-blown concert. As we sifted through the Threat Actor’s activity trail, something stood out on SharePoint: a file with a suspiciously ominous name.
Password.xlsx
We had all the evidence we needed to escalate: the Threat Actor had accessed the file. We didn't open the file, the client did. And their reaction? Let’s just say it confirmed every SOC analyst’s worst suspicion.
Inside that file:
The client sprang into action, cycling passwords and locking things down before more damage could be done.
But just when we thought things were wrapping up, our alerts caught a new twist, the Threat Actor was preparing something different. A fresh technique, previously unseen in the environment.
Within 20 minutes, we had the user contained and the threat actor's plans foiled before they could hit "execute."
The Threat Actor got crafty, using Microsoft Designer to spin up a locked-down SharePoint container. Storage allocated? A casual 25 TB. Access? No one but them.
They tweaked lists, rewrote permissions, and even set up an inbox rule to silently trash any email mentioning phishing, spam, or scam.
Their plan?
Maybe host a fake doc. Maybe a polished credential harvester.
We’ll never know, because the SOC kicked them out before they could pull the trigger.
Sometimes, defense wins before the offense even gets to play.
We logged into the admin portal, assigned ourselves full owner permissions, and expected smooth access to the suspicious 25 TB container.
But despite having top-level privileges, we were still locked out. No visibility, no control.
If we couldn’t get in, and needed to guarantee the Threat Actor couldn’t either, there was only one move left.
We deleted the container.
When access control fails, deletion is the ultimate reset button.
Once the investigation wrapped up, we double-checked both affected users.
Remediation steps were fully in place, accounts secured, and no lingering activity detected.
With everything locked down and confirmed safe, we officially closed the case.
Another threat neutralized, another lesson added to the SOC playbook.
Just because an email says it's from the CIO doesn't mean it is. Especially when it's asking you to click a link or open a PDF.
The email came from a legit platform. The attacker wasn’t spoofing a sketchy domain—they weaponised trust. Lesson: even "friendly" platforms can host nasty surprises.
If you’re storing sensitive information in a file literally named password.xlsx, please stop. It’s like labeling your secret hideout “Evil Lair – Do Not Enter.”
Apparently, SharePoint Designer isn’t just for intranet beautification. The Threat Actor used it to create a 25 TB container and hide it better than a teenager hides browser history.
If someone sets a rule to auto-delete anything with “phishing” or “spam,” that’s not productivity—that’s premeditated sneakiness.
Admin access didn’t cut it. So we deleted the container. Sometimes digital problems need a digital sledgehammer.
It’s not enough to boot the intruder—you’ve got to make sure they didn’t leave any backdoors, love notes, or invisible landmines behind.
This incident had everything—spoofing, social engineering, SharePoint drama, and an unexpected cameo from password.xlsx. But thanks to swift action, a suspicious mind, and a good dose of paranoia, we kicked the Threat Actor out before real damage could unfold.
SOC: 1 Threat Actor: 0
