“Two to three high alerts a day, some weeks. And when they get in? Eight minutes. In eight minutes, a threat actor read over 200 emails, uploaded malicious files to SharePoint, set up a malicious survey, downloaded from OneDrive, and added a malicious app to the tenant.”
Who They Brought In
Isaac Anderson is SOCSoter’s Technical Account Manager, five years in and probably the person on the team who has touched more customer environments than anyone else. He sits at the intersection of the SOC, engineering, account management, and the clients themselves. If something goes wrong in a customer’s environment, Isaac is in the room. He also designed SOCSoter’s reporting. Left brain, right brain. Don’t sleep on him.
What Got Loud
- Attacks are up roughly 10x since Isaac started, and that’s his conservative estimate
- Microsoft’s built-in “risky sign-in detection” is, in Isaac’s words, almost worse than useless
- The Nigerian Prince email is dead. AI-crafted spear phishing now targets CEOs with flawless English for under $1,000 in tools
- Four specific things most companies aren’t doing in Microsoft 365, and why not having them is basically leaving the door open
- Every industry is a target. Isaac’s wife works at a printing company. They got hit too.
- 60% of small and mid-sized businesses that take a ransomware hit end up closing. Full stop.
The Rundown
Five years ago, SOCSoter’s alert volume was manageable. Today, Isaac is fielding two to three high alerts a day, some weeks.
“The driver isn’t mystery. It’s math.”
AI has made it cheap, fast, and easy to launch sophisticated attacks at scale. The old tells are gone. Broken English, weird logos, obvious spoofing. Threat actors have moved past all of it. Spear phishing targeting C-suite executives now runs on tools that cost a few hundred dollars, tops. The return on investment for attackers is enormous. The risk of getting caught is minimal.
The conversation zeroed in on Microsoft 365 because that’s where most of the damage is happening. Isaac made a point worth writing down: Microsoft does a great job reassuring you their product is safe. They do a poor job making sure you actually understand your own responsibilities in managing it. The gap between those two things is where breaches live. Most of what Isaac’s team sees comes down to improperly configured conditional access policies. Four fixes cover the majority of incidents: block unmonitored devices from accessing your 365 environment, enforce MFA globally without exceptions, set up geo-filtering, and require frequent re-authentication. None of this is exotic. All of it gets skipped constantly.
Then Isaac described a real incident. Eight minutes of access on a compromised admin credential. In that window, the threat actor read 200+ emails, uploaded malicious files to SharePoint, set up a phishing survey using Microsoft’s own tools, downloaded files from OneDrive, and added a malicious application to the tenant. All scripted. All automated. SOCSoter’s engineering team had a full incident report ready within 30 minutes. Soon that drops to under a minute. That remediation, the walkthrough, the cleanup, the follow-up, is included in the service. No extra charge.
Melissa closed with something that doesn’t get said enough:
“SOCSoter is not clairvoyant. If your environment changes, new firewall, new VPN policy, new anything, you have to communicate it. Security is a partnership. The SOC can only protect what it can see. “
Real Talk
Microsoft 365 is where your business lives. It’s also where attackers are spending most of their time. The four things Isaac laid out, unmonitored device access, MFA enforcement, geo-filtering, and forced re-authentication, aren’t advanced. They’re table stakes. If you don’t have them in place, you’re not saving money. You’re just deferring a very expensive conversation.
Catch It
Listen to the full episode on Apple Podcasts, Spotify, or wherever you get your podcasts.