The Situation
An 8-person accounting firm in Southbank suffered a business email compromise attack in early 2024. A staff member received a sophisticated phishing email purporting to be from a major supplier, clicked a link, and entered their Microsoft 365 credentials. The attacker used the compromised account to intercept three client invoice emails and redirect payment to fraudulent bank accounts. The total loss was $47,000.
The firm's previous managed service provider responded to the incident by changing the affected account's password. When the principal asked about implementing MFA and improving email security, he was told it would take "a few weeks to schedule." Three days after the password change, the attacker was back in the account through a persistent session token the provider had not invalidated.
The Australian Taxation Office had also recently communicated that registered tax agents must meet specific cyber security requirements by June 2025. The firm was not on track to comply.
What We Did
We were engaged the morning after the second access event. Our first action was a full forensic review of the Microsoft 365 tenant — examining sign-in logs, email rules, forwarding configurations, and third-party application authorisations. We identified three additional compromised accounts that had not been flagged, two mail forwarding rules the attacker had configured, and an OAuth application the attacker had authorised to maintain persistent access.
- Immediate forensic investigation of Microsoft 365 tenant — identified all compromised accounts and attacker persistence mechanisms
- Revoked all active sessions and OAuth tokens across the entire tenant, not just the initially reported account
- Removed attacker-created mail forwarding rules and third-party application authorisations
- Deployed Conditional Access policies requiring MFA with number matching for all sign-ins
- Implemented Microsoft Defender for Office 365 Plan 2 with Safe Links and Safe Attachments
- Configured DMARC, DKIM, and SPF for the firm's domain to prevent email spoofing
- Delivered phishing simulation training for all staff with quarterly ongoing simulations
- Prepared and submitted ATO cyber compliance documentation meeting all required controls
After the attack, I felt completely exposed — like we'd been doing everything wrong for years. What CX IT gave us wasn't just better security. It was clarity about what had actually happened and confidence that it was genuinely fixed, not just patched over.
The Outcome
In the 12 months following the remediation engagement, the firm experienced zero security incidents — no successful phishing attempts, no unauthorised access attempts that progressed beyond the MFA challenge, and no repeat of the BEC scenario.
The firm passed their ATO cyber compliance review without any deficiencies, specifically being noted for the quality of their email security configuration and staff training records.
Average helpdesk response time under the previous provider had been four hours. Under CX IT Services, it is 22 minutes. The principal described the contrast as "night and day — they actually answer the phone."
The firm also pursued a business interruption insurance claim for the $47,000 BEC loss with the forensic documentation we provided. The claim was accepted.