A Cyber Incident Happened at a Firm Like Yours. Here Is What the First Week Looked Like. – Tower Zero Security
Back to Blog
Incident Response

A Cyber Incident Happened at a Firm Like Yours. Here Is What the First Week Looked Like.

Tower Zero Security May 2026 7 min read
Cyber incident first week timeline illustration Dark illustration showing a 7-day incident response timeline with escalating alerts, decisions, and containment stages INCIDENT RESPONSE TIMELINE // CASE #IR-2024-0441 // ACTIVE ● LIVE 1 DAY 1 — DISCOVERY MON 07:42 Employee reports files showing strange extensions. IT checks server. Shared drive inaccessible. No one calls IR for another 4 hours. RANSOMWARE EXFIL LIKELY CRITICAL 2 DAY 2 — TRIAGE & CONTAINMENT BEGINS IR team engaged. Network isolation starts. 3 servers confirmed encrypted. Insurance carrier notified. Backups found — but last clean snapshot is 11 days old. 3 DAY 3 — FORENSICS Entry point identified: phishing email, Day -14. Attacker dwell time: 2 weeks. Data exfiltration confirmed. Ransom demand: $180,000 USD in BTC. 4 DAY 4–5 — DECISION & REBUILD Decryptor not available for this variant. Decision made to restore from backup. Domain controller rebuilt first. 11 days of lost data cannot be recovered. 6 DAY 6–7 — PARTIAL RESTORATION Core systems back online. Staff working but reduced capacity. Monitoring hardened. MFA enforced. EDR deployed across all endpoints. TOTAL DOWNTIME: 6.5 DAYS EST. LOSS: $340,000+ CAUSE: SINGLE PHISHING EMAIL TOWER ZERO SECURITY // IR-2024-0441

The following is a composite account based on real incidents we have responded to. Identifying details have been changed.

A partner at a mid-size law firm noticed on a Monday morning that a client had called over the weekend asking about an email she never sent. The email had come from her account — correct address, correct signature, correct everything — asking the client to update their wiring instructions for an upcoming settlement disbursement.

She called us at 8am. By 8:45 we had access to her Microsoft 365 tenant.

What We Found

By 10am we had established that her account had been compromised seventeen days earlier. A phishing email, convincing enough that she had entered her credentials without realizing it. The attacker had authenticated from an overseas IP address within four minutes of credential capture.

For the following seventeen days, the attacker had been a silent observer. They read email. They learned the names of the firm's clients, the structure of ongoing matters, the names of banks and title companies the firm regularly worked with. They identified three active matters with significant wire transfers approaching. Then they created an inbox rule that would intercept any replies to emails sent from her account and delete them before she saw them. Then they began impersonating her.

The client who called over the weekend was the third one they had contacted. The first two had fortunately called the firm directly to confirm before sending anything.

Monday: Containment

By noon on Monday we had revoked all active sessions, removed the inbox rule, identified two other accounts in the tenant that showed signs of reconnaissance activity from the same IP infrastructure, and begun credential resets for all affected accounts.

Wednesday: Full Forensic Picture

By Wednesday we had completed the full forensic investigation. We knew every email the attacker had read, every file they had accessed in SharePoint, every external communication they had sent. The firm had a complete incident timeline — the kind of documentation a cyber insurance carrier requires and a bar association notification demands.

Friday: Hardening and Reporting

By Friday we had implemented the hardening controls that would have made this attack significantly harder — MFA with Conditional Access, legacy authentication blocked, inbox rule alerting configured, mailbox audit logging extended. We delivered the written incident report the firm needed for their cyber insurance carrier and for the bar association notification that was required under state rules.

The Outcome

The outcome was good relative to what it could have been. No wire transfer was completed. No client data was exfiltrated in a way that created notification obligations beyond the bar association. The firm's clients were informed professionally with a clear explanation of what happened and what had been done.

What made the difference was that the firm called immediately, before taking any independent action that might have destroyed forensic evidence. And the controls we put in place afterward mean that if an attacker tries the same approach again, they will be detected within hours instead of weeks.

No Obligation. No Sales Pitch.

Know Where You Stand Before an Attacker Does.

Get a clear picture of your Microsoft 365 security posture — for free. Our engineers review your environment and tell you exactly what an attacker would see.

Get Your Free Microsoft 365 Security Assessment →

Free Assessment · No Credit Card · Response Within 24 Hours