Aller au contenu
FRENFR-CAEN-CA
Contact
Case study · Services · accounting 50 to 100 staff

Regional accounting firm — forensic analysis after intrusion

Anonymised case — a regional accounting firm hit by a Microsoft 365 compromise with attempted fraudulent wire transfer. Hexceos reconstructed the full timeline, identified the vector, notified the CNIL and restored the integrity of the IT estate.

8 h
Full timeline reconstruction
24 h
CNIL notification after detection
0
Fraudulent transfers executed
100%
Client file integrity confirmed
« When we saw the fake email from our banker, we panicked. Hexceos dissected everything in 48 hours — we knew exactly what had happened, and we could prove to our clients that we had handled the crisis seriously. »
— Managing partner, Regional accounting firm, France

Context

A regional accounting firm, 70 staff, two offices (regional HQ + secondary office), handling the accounting, payroll and wealth advisory of about 800 small business clients. The infrastructure runs on Microsoft 365 (mail, SharePoint, OneDrive), a SaaS business application, and backups outsourced to a third party.

The alert came in on a Tuesday morning — a partner received an email impersonating his banker (homoglyph-spoofed sender address), requesting confirmation of a 47,000 € transfer to settle a commercial dispute. The email looked plausible, internal references matched. But the partner dialled the bank’s known number by habit and got a puzzled response — no dispute, no transfer requested. The firm called Hexceos crisis cell within the hour.

Scope delivered

Incident response mission over 7 days, followed by an 8-week remediation and hardening phase.

1. Immediate containment (day 1)

  • Isolation of suspected compromised Microsoft 365 accounts (3 initially, 2 confirmed after analysis).
  • Revocation of all active session tokens (Conditional Access + Sign-In Risk).
  • Block of the spoofed domain at Exchange Online Protection and at the DNS registrar.
  • Coordination with the bank to block any transfer instruction not verbally re-confirmed for 72 hours.
  • Evidence preservation — forensic copies of mailboxes, Entra ID logs and Unified Audit Logs before any reset.

2. Full forensic analysis (days 1-3)

  • Full timeline reconstruction from Microsoft 365 Unified Audit Logs (3 months of standard retention, extended to 1 year on compromised accounts).
  • Identification of the entry vector — AiTM (Adversary-in-the-Middle) phishing targeting an admin assistant via a fake OneDrive portal five weeks before the alert.
  • Mapping of post-compromise access — creation of invisible mailbox rules to intercept banking correspondence, exploration of shared folders, enumeration of client contacts.
  • Attacker profiling — TTPs consistent with a generalist cybercriminal actor (commodity BEC), no APT markers, C2 infrastructure using legitimate cloud services.

3. Reporting and notification (days 4-5)

  • Full forensic report (52 pages) delivered to firm management and counsel.
  • Summary for CNIL (notification made 24 h after detection, well within the 72 h regulatory window).
  • Individual communication to the 14 clients whose correspondence had been read by the attacker (no mass exfiltration detected).
  • Coordination with cyber insurance for claim filing.

4. Remediation and hardening (weeks 2 to 8)

  • Migration of all accounts to phishing-resistant MFA (FIDO2 keys on privileged accounts, cloud authenticator on the rest).
  • Strict Conditional Access (geolocation, device posture, user risk).
  • Deployment of Hexceos Sentinel on endpoints and identity.
  • Activation of the 24/7 SOC in active mode.

Results

  • No fraudulent transfer executed — the intercepted instruction was blocked before bank transmission.
  • Full timeline reconstructed in 8 hours of active forensic analysis, after the first 24 hours dedicated to containment.
  • CNIL notification at 24 hours after initial detection (regulatory window 72 h, met with comfortable margin).
  • 100% of client files verified as unaltered (no outbound writes detected during the compromise window).
  • 14 clients individually informed within 5 days, with written attestation of no file exfiltration.

What changed

The firm resumed operations within two days, with transparent communication to clients that paradoxically strengthened trust. Cyber insurance covered the full claim (Hexceos fees, legal counsel, client communication) without dispute, thanks to the opposable forensic report.

Three years after the incident, the firm has not lost a single client because of the episode, and has gained four clients who specifically chose them for their audited, documented post-incident posture.

Anonymised at the customer’s request. Figures presented reflect real measurements on a single customer in 2024.

Your situation

Let's discuss
your case.

A Hexceos engagement always starts with a no-commitment conversation.

Request a call Cybersecurity audit