Extended Leadership Team 24 February 2026

Colorful wires. A black and grey background Description automatically generated.

[Audio] The company has been working on upgrading its IT systems for several years now. The goal is to modernize the existing systems and make them more efficient. The company wants to reduce costs and increase productivity. The upgrade involves replacing old hardware with new ones and implementing new software. The company plans to use cloud computing services to host its data and applications. The company believes that this upgrade will help to improve customer service and reduce errors. The company is committed to providing high-quality services to its customers. The company is also planning to implement new security measures to protect its data from cyber threats. The company is confident that the upgrade will bring significant benefits to its business..

[Audio] Andy Evans explained that the recent attack was caused by a phishing email sent to employees. The attackers used social engineering tactics to trick employees into revealing sensitive information. Evans stated that the company had taken steps to prevent such attacks in the past but were caught off guard by the sophistication of this particular attack. He emphasized that the key to preventing similar attacks is to educate employees on how to identify and report suspicious emails. Evans concluded his presentation by highlighting the importance of employee awareness and vigilance in protecting against cyber threats..

[Audio] The attack begins with a moment of unsettling familiarity. You click a link in an email, and your browser opens to what appears to be a standard Microsoft login page. The logo is correct, the layout is pixel-perfect, and the URL looks plausible enough. You feel the muscle memory kick in, ready to type your credentials and get on with your day. But behind this ordinary interface, a highly sophisticated, multi-stage attack has silently begun. Legitimate-looking fake websites can trick users into divulging sensitive information, such as passwords and credit card details. These attacks often use social engineering tactics, exploiting psychological vulnerabilities to gain trust and confidence. In this case, the attackers have used a technique called "phishing," where they create convincing replicas of real websites, making it difficult for users to distinguish between genuine and fake sites. Once inside, the attackers can steal data, install malware, or even take control of user accounts. The key takeaway here is that these types of attacks are not only present but also actively ongoing, posing a significant threat to individuals and organizations alike. It's essential to remain vigilant and take proactive measures to protect ourselves from such threats..

[Audio] The attackers are able to exploit the psychological weaknesses of individuals within an organization. They use various tactics to manipulate people into divulging sensitive information or performing certain actions. These tactics include phishing emails, pretexting, baiting, and social engineering. Pretexting involves creating a fake scenario or situation that makes it seem like something needs to be done urgently. Baiting involves leaving out a tempting offer or incentive that encourages people to reveal sensitive information. Social engineering is a broad term that encompasses all types of manipulation used by attackers to influence people's behavior. Phishing emails are a common type of attack that uses a fake email address to trick people into revealing sensitive information..

[Audio] Traditional cybersecurity measures have been put in place to protect organizations from cyber threats. These measures include firewalls, intrusion detection systems, and multi-factor authentication. However, these measures can sometimes be bypassed by sophisticated attackers who use advanced techniques such as phishing and social engineering. As a result, traditional controls may not always be effective in preventing cyber attacks..

[Audio] The attackers use this initial interaction to gather crucial information about your account, such as whether it belongs to a real account on a specific Microsoft corporate tenant. This reconnaissance step helps them focus their efforts on a legitimate target, rather than wasting time on fake accounts or bots. By confirming the legitimacy of the account, the attackers can refine their approach and increase the chances of success..

[Audio] The attackers use various tactics to make the link appear legitimate. They may use a spoofed email address that closely resembles the one used by Microsoft, or they may create a fake website that mimics the official Microsoft website. They may also use social engineering techniques to trick users into divulging sensitive information such as passwords or credit card numbers. These tactics are designed to make the user believe that the link is coming from a trusted source, thereby increasing the likelihood that the user will click on it. The attackers may also use malware to infect the user's computer, allowing them to remotely control the device and steal sensitive information..

[Audio] The attackers use this information to send phishing emails to employees at the targeted company. These emails are designed to appear as though they come from a trusted source, such as an IT department or a CEO. The emails ask for sensitive information like passwords, credit card numbers, or other confidential data. The attackers may also include attachments that contain malware, which can compromise the security of the entire network..

[Audio] The attackers use various tactics to evade detection by security systems. They employ advanced algorithms to analyze the user's behavior and adapt their approach accordingly. These tactics include using fake emails, spoofing legitimate websites, and creating custom malware designed specifically for each target. The attackers also utilize social engineering techniques to trick users into divulging sensitive information..

[Audio] The Service Worker acts as a double agent, performing two functions simultaneously. On one hand, it authenticates your login requests by forwarding them to Microsoft's Azure AD servers. This makes the login process seamless and undetectable. However, unbeknownst to you, the Service Worker also creates a duplicate copy of your login request, which is then sent to an attacker. This cloning process occurs in real-time, allowing the thief to access your sensitive information instantly. The key point here is that the theft is completely transparent, leaving you unaware that your entire session has been compromised..

[Audio] The attackers used a proxy server to gain access to the system. They intercepted sensitive information such as passwords and login details. The attackers then attempted to exfiltrate this data through a trusted channel, such as Microsoft's One Collector telemetry service. This allowed them to blend in with legitimate traffic, making it difficult to detect. The attackers exploited our trust in established systems and services. We must remain vigilant and update our security measures to prevent similar incidents in the future..

[Audio] The attackers use the stolen credentials to package them into a standard JSON telemetry packet. They add a unique Instrumentation Key to the packet which directs it to their own Azure workspace. The packet is then sent through a trusted Microsoft endpoint. Using the Microsoft postal service, they send the packet to their own Azure workspace. The packet contains sensitive information about the user's account..

[Audio] The colorful wires surrounding the man in the image represent the various ways in which cyber attacks can target our systems. The key points highlighted on this slide include "Man-in-the-Browser" proxy, "Validate Target' Location Attack", "Real-Time Tracer Alerts", "Credit Card Information", "Telemetry Service", "Bypasses Anti-Defenses", "Recamissx•re (TIM)", "Defense Evasion (T1205)", and "Exfiltration (TIS67)". These types of attacks can intercept and manipulate web traffic, allowing the attacker to gain access to sensitive information. They can also use location-based targeting to identify vulnerable systems and launch an attack. Real-time tracer alerts can alert us to any potential malicious activity on our systems. Protecting sensitive data such as credit card information is crucial because cyber criminals may try to steal it for financial gain. Telemetry services collect and send information about the user's behavior and activities back to the attacker. Cyber attackers can use various techniques to bypass security measures, including Recamissx•re (TIM) and Defense Evasion (T1205). Exfiltration (TIS67) refers to the act of stealing data from our systems. It is essential to stay vigilant and implement strong defense measures to protect ourselves from these threats..

[Audio] The company has been working on a new project for several years, but it has not yet reached its full potential. The team has been struggling with the lack of resources and funding. The company's financial situation is precarious, and there are concerns about the future..

[Audio] The organization's identity governance system should be designed to prevent unauthorized access to sensitive information. This includes implementing a robust identity management system that ensures accurate identification and authentication of users. A privileged access control mechanism should also be put in place to limit the actions that authorized personnel can take. Session risk monitoring should be implemented to detect and respond to potential security threats. Additionally, regular training sessions for employees should be conducted to maintain their vigilance and awareness of security risks..

[Audio] The attack begins with a familiar feeling. You click a link in an email and your browser opens to a website that looks like a standard Microsoft login page. The logo is correct, the layout is perfect, and the URL seems legitimate. You feel the urge to enter your credentials and proceed with your day. However, behind this ordinary interface, a highly advanced attack has started. Legitimate websites are often used as entry points for these types of attacks. Attackers use various tactics such as spoofing, phishing, and social engineering to deceive users into revealing sensitive information. Once the user enters their credentials, the attackers gain unauthorized access to the system. The next step is to transfer the stolen data through a secure channel. Most phishing attacks fail because they attempt to send stolen data to a suspicious server controlled by the attackers. However, this attack has found a way to bypass detection by using a trusted network and protocol. The attackers hide in plain sight by utilizing trusted networks and protocols, making it difficult to detect their malicious activities. The attack starts with a convincing login page, gains access through user input, and then uses a trusted network to transfer the stolen data. This highlights the importance of being cautious when interacting with unfamiliar emails and websites, and the need for robust security measures to prevent such attacks..