A tenant compromise, contained
Led incident response for a full tenant compromise event inside a Microsoft 365 and Azure environment | Scoped the intrusion, evicted the threat actors, rebuilt identity hardening from the ground up, conducted after-action-reviews with the client, and provided full documentation from discovery-through-resolution.
Challenge
A finance team noticed payment instructions that no one had sent. By the time the alarm was raised, an attacker had been living in the tenant for days — reading mail, setting inbox rules, and staging a wire-fraud attempt. The organization had no incident playbook and no clear picture of the blast radius.
Approach
I scoped the intrusion first and acted second: pulled sign-in and audit logs where available, reconstructed the access timeline, and identified every affected identity and mailbox rule before touching anything. Then containment: revoked sessions, forced credential resets, removed malicious rules and accounts, and stood up conditional access to close the entry vector. Finally, hardening: phishing-resistant MFA, least-privilege review, and alerting tuned to the exact techniques used.
Outcome
The threat actor was evicted and the wire-fraud attempt was stopped before any funds were moved. The organization left with a working identity baseline, an incident record they could hand to their insurer, and a response playbook for the next attack.
All engagement details expressed here are anonymized. The methodology and judgment are the point … never the client.
— Engagement anonymized. Trust and confidentiality come first, always.