Quick advisory based on three incidents we've helped on in Q1. Names changed; details kept.

Incident 1 — accounting firm, 32 staff

What happened: Someone in accounts received an invoice "from a known supplier", opened the PDF, clicked the embedded link to "approve". The link installed a credential-stealer. 48 hours later, the attacker logged into the M365 tenant from an EU IP, downloaded the SharePoint document library, and emailed every contact in the address book with a fake invoice. By the time anyone noticed, ~£40k had been wired.

What would have stopped it:

  • Conditional Access rule blocking sign-in from countries outside the UK (5-minute config in Entra)
  • Impossible-travel alert (login from London then Berlin 20 minutes later) — built-in to Microsoft Defender for Identity
  • Mark external email with a banner in Outlook (free, takes 2 minutes)

Incident 2 — design studio, 8 staff, on-prem NAS

What happened: A staff laptop got encrypted by a drive-by download. The laptop's mapped network drive to the NAS got encrypted too. Two terabytes of client work, gone in 40 minutes.

The NAS had backups — to a USB drive that was plugged into the NAS. Both encrypted.

What would have stopped it:

  • Off-site, immutable backups. £30/mo for a small business with our backup product.
  • Removing the mapped drive for users that don't need it (most don't — they use OneDrive).
  • No domain admin on day-to-day laptops (this is the most-skipped one, the most-impactful).

Incident 3 — solicitor, 16 staff, full M365

What happened: MFA bypass via an OAuth consent attack. The attacker sent a phishing email asking the recipient to "review a shared document" via a real Microsoft URL. The user clicked through and consented to an OAuth app that gave the attacker Mail.ReadWrite on their mailbox. No MFA prompt — OAuth grants are out-of-band.

What would have stopped it:

  • Admin-only consent for third-party OAuth apps (Entra → Enterprise apps → User settings → "Users can consent" → No). Default to off; review requests manually.
  • Phish-resistant MFA (Windows Hello, FIDO2 keys) for partners and finance.

The boring fundamentals checklist

If you do nothing else this year, do these — none of them are new, all of them stop most of what we see:

  1. MFA on every account, with at least two methods registered
  2. Conditional Access locking sign-in to the UK (or your real countries)
  3. Backups that aren't reachable from a compromised laptop (immutable, off-site)
  4. No admin rights for day-to-day work — separate admin accounts only
  5. Consent restrictions on OAuth third-party apps
  6. Marked-external banner on inbound email

We can audit your tenant against this list in an hour. Email your account manager: "Run the security baseline check on us."

← Previous
BT is switching off copper lines in 2027 — what it actually means