A Routine Domain Problem Turned Into a Serious Breach. Here's How We Uncovered It.

The short version

A professional services firm contacted Stealth Cyber after their domain was suspended by the registrar. They assumed it was an administrative issue. It was not. The investigation uncovered a compromised Microsoft 365 account, an unauthorised remote access tool installed with full system privileges, and multiple staff credentials exposed in criminal data leaks.

How it started

The firm noticed their domain had been suspended, which caused email delivery failures and website downtime. Their IT provider was unable to resolve the issue and could not explain why the suspension had occurred. Stealth Cyber was engaged to investigate.

Within the first few hours, it became clear that the domain suspension was a symptom, not the cause. The registrar had flagged the domain due to suspicious activity associated with the account. That suspicious activity pointed to something much larger.

What we found when we looked

The investigation revealed three distinct but related problems.

First, a compromised Microsoft 365 account. One staff member's account had been accessed by an unauthorised party. Mailbox rules had been created to redirect emails, and the account had been used to send phishing emails to contacts in the firm's address book. This is likely what triggered the domain suspension.

Second, an unauthorised remote access tool. A remote administration tool had been installed on a workstation with SYSTEM-level privileges. This was not a tool the firm or their IT provider had deployed. It gave whoever installed it full control of the machine, including the ability to access files, capture keystrokes, and move laterally within the network.

Third, credential exposure in criminal data leaks. A review of threat intelligence sources revealed that multiple staff email addresses and passwords had appeared in criminal data breach compilations. Some of these credentials were still in active use and had not been changed.

What Stealth Cyber did

Containment. We immediately revoked all active sessions, reset credentials for all affected accounts, and disabled the compromised account. The unauthorised remote access tool was removed from the affected workstation and all other systems were scanned to confirm no additional installations existed.

Forensic investigation. We conducted a thorough review of Microsoft 365 audit logs, sign-in records, and mailbox configurations. We identified the scope of the compromise, the timeline of unauthorised access, and the data that may have been exposed.

Threat intelligence. We ran all staff email addresses against known criminal data breach databases to identify exposed credentials. We provided a full report of which accounts were compromised and the source breaches where the credentials appeared.

Documentation. We produced a formal incident report covering the timeline, scope, and impact of the breach. This included an assessment of notification obligations under the Notifiable Data Breaches scheme.

Remediation roadmap. We delivered a prioritised list of actions to address the root causes, including MFA enforcement, conditional access policies, privileged access management, endpoint protection improvements, and an ongoing monitoring plan.

What this case illustrates

Legacy IT environments create blind spots. The firm's IT provider was managing day-to-day operations but had no visibility into security events. There was no monitoring, no alerting, and no audit log review. The compromise could have continued indefinitely if the domain had not been suspended.

One compromised account can cascade quickly. A single account with standard permissions was enough to send phishing emails, access shared resources, and trigger a domain suspension. Broad access and a lack of segmentation amplified the impact.

Exposed credentials are an ongoing liability. Staff credentials that appear in criminal data leaks do not expire. If those passwords are reused or if MFA is not enforced, they remain a viable entry point for attackers.

The outcome

The domain was restored after Stealth Cyber worked with the registrar to demonstrate that the underlying issue had been contained. The compromised account was secured, the remote access tool was removed, and all affected credentials were reset.

The firm received a complete incident report and remediation roadmap. Stealth Cyber was retained to implement the recommended security controls and provide ongoing monitoring.

What this means for your business

If your IT provider manages your systems but does not actively monitor for security events, you may have similar blind spots. Compromised accounts, unauthorised tools, and leaked credentials are not hypothetical risks. They are common findings in environments where security has been assumed rather than verified.

A domain suspension, a strange email, or an unexplained login may be the first visible sign of a much deeper problem. The question is whether anyone is watching closely enough to notice.