Security Posture After a Phishing Incident

“One staff member clicked a link in an email and we spent three days not knowing if our client data had been compromised.”

The Challenge

A 14-lawyer firm in downtown Toronto experienced a phishing incident when a legal assistant opened a credential-harvesting email disguised as a Microsoft 365 password expiry notice. The assistant's credentials were captured and used to log into their Microsoft 365 tenant from an IP address in Eastern Europe.

The firm's IT lead — a non-technical office manager — noticed unusual inbox rules had been created on the affected account. By the time access was revoked, the attacker had been in the account for approximately 11 hours.

No client data was confirmed exfiltrated, but the firm could not rule it out. They contacted ADDER Technologies the following morning.

What We Did

Immediate response (first 48 hours). We audited the affected tenant, revoked all active sessions, reviewed mail flow rules for exfiltration patterns, and confirmed no forwarding rules had been set to external addresses. We reviewed SharePoint and OneDrive access logs for the period of compromise. A written incident summary was produced for the firm's records and insurer.

Hardening (weeks 1–3). After containment, we implemented:

• MFA enforced on all 365 accounts — conditional access policies set so no account can authenticate without a second factor, regardless of location
• Privileged account separation — admin accounts are now separate from day-to-day email accounts
• Endpoint protection rollout — Microsoft Defender for Business deployed across all 14 workstations with centralized alerting
• Email filtering tightened — enhanced phishing protection rules and external sender banners enabled in Exchange Online
• Backup verification — existing 365 backup confirmed healthy; retention extended to 90 days

Staff training. All 22 firm employees (lawyers and staff) completed a 90-minute security awareness session. Simulated phishing tests are now run quarterly.

The Outcome

In the 10 months since the incident, the firm has had zero security events. Three simulated phishing tests have been run; click rates dropped from 34% on the first test to 6% on the third.

The firm's managing partner noted that the experience — while stressful — forced a security improvement that had been deferred for years. The firm now has documentation, processes, and tooling that would have prevented the original incident entirely.