Case Study: Active Breach Contained in 5 Minutes | Vision Quest
Case Study  ·  Incident Response  ·  Greater Sacramento

The Attacker Was Inside.
We Had Them Out in Five Minutes.

This client had been compromised before and never knew. After Vision Quest built the foundation they were missing, the next attack lasted five minutes and left almost nothing behind.

5 min Time to full lockout
Day 1 Audit logging live from day one
0 Outside IR vendors required
Industry Construction Distribution
Revenue $60M
Location Greater Sacramento
Services Deployed Risk Assessment, MDR, SOC, Identity Hardening, EDR
The Situation

They Had One IT Person and No Idea What Was Already Inside Their Network.

This Greater Sacramento construction distributor was running a $60 million operation on a single IT generalist. He kept the day-to-day running, but cybersecurity had always been outside his scope. No monitoring. No audit logging. No identity controls. Files scattered across local machines and personal cloud accounts with no oversight.

When a new CFO came on board and pushed for a real security review, they brought in Vision Quest. Our risk assessment confirmed what the CFO suspected. But it also surfaced something the organization had not known: they had already been breached. Email accounts had been compromised in the past. The only evidence anyone had found was forwarding rules discovered after the fact, and emails that had quietly stopped arriving. There was no log of what the attacker accessed. No forensic trail. No way to know how long they had been inside or what they had taken. The breach had happened and closed without anyone understanding what it meant.

“They only knew a threat actor had been in because a forwarding rule showed up and emails stopped arriving. By that point the attacker was already gone. Without logging, you have no idea how long they were in or what they saw.”

Vision Quest, initial assessment
What We Did

We Built the Visibility They Never Had. Then We Waited for the Next Move.

Every engagement starts with a risk assessment. We mapped the environment, documented the gaps, and got to work on what mattered most. Audit logging was turned on across their Microsoft 365 environment from day one. EDR went on every endpoint. We implemented conditional access policies and identity hardening to control how users authenticated and from where. We also recommended locking M365 access to Intune-managed, company-joined devices only. They were still working through that final step when the next attack came.

The difference between what we built and what existed before was not complexity. It was that for the first time, if something happened, they would know about it immediately and be able to account for every second of it afterward.

The Incident

A Member of the Ownership Group Clicked a Phishing Link. Our SOC Was Already Watching.

A member of the ownership group received a phishing email, clicked the link, and entered their credentials. The attacker captured the MFA token in real time and stepped into the live Microsoft 365 environment. From their side, the login looked clean. From ours, something was already wrong.

Minute 0

SOC flags the session

The credentials pass. The behavior does not. Our 24/7 SOC pulls the authentication event for immediate review.

Minute 2

MFA capture confirmed

It is a phishing-based MFA token capture. The attacker is live inside Microsoft 365.

Minute 5

Full lockout

Credentials revoked. Session terminated. Every access pathway closed. The attacker is out of the environment.

Post-Incident

Complete forensic record delivered

Because logging was live from day one, we produce a precise account of the full five-minute window. Every file accessed. Every search run. Every action taken. One PII record belonging to one individual was viewed. Nothing else left the environment.

The Outcome

Five Minutes of Access. One Record Viewed. An Insurer Who Did Not Need to Bring Anyone Else In.

The attacker had live access to a Microsoft 365 environment at a company doing $60 million a year. Five minutes later the session was dead and the damage was a single viewed PII record. No financial data. No bulk download. No lateral movement.

When the cyber liability insurer stepped in, they brought a breach coach attorney and an incident response vendor onto a call. Vision Quest showed up with a complete forensic record already prepared. We walked through exactly what the attacker accessed, exactly when, and exactly how we stopped it. The insurer did not need the IR vendor to do independent work. The breach coach had everything they needed to move forward. The claim was processed faster and more cleanly than anyone expected.

That result was only possible because we built the logging infrastructure on day one and ran the engagement assuming every incident would eventually end up in front of an insurer. That assumption proved correct. And it made all the difference.

“Because we had logging in place, we were able to tell the insurance company exactly what the threat actor accessed, how long they had been in, and how fast we got them out. The insurer was impressed. They did not need to bring in a separate IR vendor. We had already done the work.”

Vision Quest, post-incident debrief
By The Numbers
5 min From anomalous login to full attacker lockout
1 PII record confirmed accessed out of an entire M365 environment
0 Third-party IR vendors commissioned by the insurer
Day 1 Audit logging enabled so the forensic record existed before it was needed

“Before Vision Quest, this same company had been breached and had no way to know what was taken. This time, we could account for every second. That is what having the right infrastructure actually means in practice.”

Vision Quest Information Solutions

If an Attacker Got Into Your Network Today, Would You Know in Five Minutes?

Most Greater Sacramento businesses would not. Vision Quest gives you the monitoring, response speed, and forensic documentation to change that.

Talk to Our Team
Contact
Contact
Scroll to Top