Their Network Was Down. Their Provider Had Gone Dark.
We Were On Site in an Hour.

A Friday Evening Change. A Saturday Morning Crisis. A Provider That Could Not Be Reached.

This Greater Sacramento HVAC distributor ran on a co-managed IT setup: a regional MSP and an on-site IT person handling day-to-day operations. On a Friday evening, the MSP made a routine network change: expanding the subnet. They updated DHCP but did not update the firewall to match. The network went down. By the time employees arrived at six the next morning, nothing worked and the MSP was unreachable.

The client had never worked with Vision Quest. They reached out around nine that morning after hours of failed attempts to contact their existing provider. We were on site by ten. The fix was straightforward. The subnet mismatch in the firewall was identified and corrected quickly and the business was back up and running. But the hour on site opened a conversation that mattered far more than the outage.

A Breach in Progress. No Logging. No Way to Know How Long It Had Been Going On.

After the outage call, Vision Quest began a cybersecurity risk assessment. While that process was underway, before the full security program was in place, the client’s email environment was already compromised. A mailbox had been accessed by an unauthorized party. Neither the client nor their existing MSP had detected it. The only reason it surfaced at all was that the attacker eventually did enough inside the mailbox to make their presence noticeable.

With no audit logging in place, there was no way to determine how long the attacker had been inside, what they had accessed, or what had been taken. The forensic trail did not exist. The implications of that were significant: for insurance, for compliance, and for the organization’s own understanding of its exposure. The client had data that could have been exfiltrated and no way to confirm or deny it.

Full Visibility, From Day One of the Engagement.

Vision Quest took over the security program. Audit logging was enabled across the Microsoft 365 environment immediately. EDR was deployed across endpoints. Conditional access policies and identity hardening were implemented to control authentication and restrict how users could connect to business systems. We recommended locking M365 access to Intune-managed, company-joined devices to close the token theft vector that had been exploited. They were working through that rollout when the next attack came.

Same Attack Vector. Completely Different Outcome.

A user received a phishing email, clicked the link, and entered their credentials. The attacker captured the MFA token and gained live access to the Microsoft 365 environment: SharePoint, OneDrive, and email. It was the same type of attack that had hit the organization once before. This time, Vision Quest’s SOC was watching.

Nine Minutes. No Data Lost. Insurance Confirmed No Claim Required.

The same type of attack that had previously compromised this organization without their knowledge was stopped in nine minutes with a complete forensic record. No personally identifiable information was accessed. No data left the environment. The attacker had live access to a $110 million operation and left with nothing.

When the cyber liability insurer was notified, Vision Quest provided a full account of the incident: what the attacker accessed, how long they were inside, and how they were removed. Because no data was exfiltrated and the forensic documentation was complete, the insurer confirmed that no claim needed to be filed. The matter was closed cleanly.

That outcome was the direct result of having logging, monitoring, and a 24/7 SOC in place before the attack came. The previous incident left no answers because the infrastructure did not exist to capture them. This one left a complete record because it did.