Blog – Tower Zero Security
Microsoft 365 Security Guides

Practical Guides for M365 Security.

No vendor fluff. No generic advice. Written by incident responders who've seen what actually breaks — and exactly how attackers get in.

All Posts Ransomware Identity & MFA Incident Response SOC & MDR Threat Intelligence
Featured Post
01001000 01100001 01100011 0110101110110100 00110001 01010010 0100000101001110 01010011 01001111 0100110111010111 00101010 11100110 01010101ENCRYPTEDFILE_LOCKEDRANSOM_NOTEYOUR FILES HAVE BEEN ENCRYPTEDSend 2.5 BTC to wallet: 1A2b3C4d5E... within 72 hours
Ransomware
May 2026 9 min read

What Happens When Ransomware Hits a Small Business

The managing partner finds out because someone walked into the office and their computer won't turn on — or because every file in a shared folder now has a strange extension. What happens in the hours that follow is shaped almost entirely by the decisions made in the first two hours, most of which are made under extreme pressure without the information needed to make them well.

Read Article →
Latest Posts
ATTACKER PROXYadversary-in-the-middleSERVERREPLAYED OTPMFA SATISFIED · SESSION HIJACKED · ATTACKER AUTHENTICATED AS YOU
Identity & MFA
May 20268 min read

Why MFA Alone Is Not Enough Anymore

Somewhere along the way, MFA calcified into a false sense of completeness — as though it were a finish line rather than a baseline. Attackers adapted. Token theft, MFA fatigue, and legacy authentication protocols bypass it completely. Here's exactly how each technique works and what actually stops them.

Read Article →
INCIDENT RESPONSE TIMELINE // CASE #IR-2024-0441 // ACTIVEDAY 1 — DISCOVERYEmployee reports files showing strange extensions.DAY 2 — TRIAGE & CONTAINMENTDAY 3 — FORENSICSDAY 4–5 — DECISION & REBUILDDAY 6–7 — PARTIAL RESTORATION
Incident Response
May 20267 min read

A Cyber Incident Happened at a Firm Like Yours. Here Is What the First Week Looked Like.

A partner noticed a client had called about an email she never sent. Her account had been compromised seventeen days earlier.

Read Article →
LAW FIRMCPA FIRMINSURANCE73%of SMBs attacked$184Kper incident
Threat Intelligence
Threat Intelligence
May 20266 min read

Why Small Professional Services Firms Are the Most Targeted Businesses in America Right Now

Lawyers, CPAs, and insurance brokers handle the most sensitive data and carry the thinnest security posture.

Read Article →
TRADITIONAL ANTIVIRUS✓ CLEAN — powershell.exe✓ CLEAN — wmic.exe lateral call✓ CLEAN — lsass.exe memory dumpATTACKER HAS BEEN INSIDE FOR 11 DAYSHUNTRESS⚠ Encoded PS execution · T1059.001⚠ Credential access · T1003.001⚠ Persistence · T1053.005ATTACKER CONTAINED IN 9 MINUTES
SOC & MDR
May 20266 min read

What Huntress Catches That Traditional Antivirus Misses

Modern attacks increasingly rely on tools already present on your system — legitimate Windows utilities weaponized to do malicious things. Huntress monitors behavior instead.

Read Article →
EDRMDRNO ONE IS WATCHING.ALERTS DETECTED. ANALYSTS RESPOND. THREATS CONTAINED.
SOC & MDR
May 20265 min read

The Difference Between EDR and MDR (And Why Small Businesses Need to Know)

EDR is a tool. It generates alerts. MDR is the human layer that sits on top — monitoring around the clock, triaging what's real, and responding when something needs to be contained.

Read Article →
REAL 24/724/7THREAT DETECTED · 11:47 PM SATSuspicious inbox rule createdWHAT YOU GET#4821 · CRITICAL · UNASSIGNEDOpened 11:52 PM Fri · 36h ago#4901 · CRITICAL · UNASSIGNED
SOC & MDR
May 20265 min read

What 24/7 Monitoring Actually Means (And What Vendors Are Selling You Instead)

There is a meaningful difference between a dashboard that's technically running 24 hours a day and a security engineer who is actively responding to threats around the clock.

Read Article →
YOUR IT COMPANYhelpdesk · break/fix · maintenance✗ 24/7 threat monitoring✗ Active threat hunting✗ Incident containmentAVAILABLE: MON–FRI 9AM–5PMSECURITY OPERATIONS CENTERCRIT Impossible travel — B. WalshHIGH Mass mailbox rule creationMED Credential stuffing attemptAVAILABLE: 24 / 7 / 365 · MEAN RESPONSE: < 5 MIN
Threat Intelligence
May 20266 min read

Why Your IT Company Is Not Your SOC (And Why That Gap Is Costing Businesses)

Your IT company is responsible for keeping systems running. A SOC monitors for signs of attacker behavior. Most businesses assume their IT company is doing both. They are not — and that gap is exactly where attackers live.

Read Article →
Stay Current

Guides posted to LinkedIn first.

We publish practical Microsoft 365 security content — attack breakdowns, IR case studies, and detection guidance — directly on LinkedIn. No newsletter. No inbox clutter. Just follow and it shows up.

48+ Posts published
M365 Focused coverage
Free No signup needed
Topics covered
Identity Security Ransomware IR BEC Detection Entra ID MFA Bypass SOC Operations
Follow on LinkedIn →

No account required to read · New posts weekly