What Happens When Phishing Works?

It takes about three seconds to click the link. It takes about 30 minutes for that click to unravel everything your agency has built.

This is not hypothetical. This is the anatomy of a credential-harvesting attack on a real CSR's Microsoft 365 account, minute by minute, and the detections that can stop it before your agency is filing a six-figure breach notification with the North Carolina Department of Insurance (NCDOI).

9:02 AM — The Click

Lane is a CSR at a mid-sized independent insurance agency. They manage renewals, process certificates, and use Applied Epic and Microsoft 365 inbox simultaneously. This morning, an email arrived that looked like a Microsoft security alert. The sender domain is close but not quite right. The urgency is cranked up. They click.

The link routes to a pixel-perfect Microsoft login page, same fonts, same logo, same layout. They type their credentials. The page redirects to the real Microsoft portal. They assume it was just a hiccup.

It was not a hiccup. The attacker now has the username and password. More importantly, because Lane's account did not have MFA enforced on that device, the attacker has everything they need to walk right in.

9:04 AM — The Attacker Is Already Moving

Two minutes after the click, the attacker authenticates an IP address in Eastern Europe. Microsoft 365 logs this as a successful sign-in. From the platform perspective, the right credentials showed up.

Within the first five minutes, the attacker runs three tasks in parallel. They export Lane's full contact list. They search the inbox for terms like wire, invoice, renewal, payment, and bank. They also set up a forwarding rule, so every email Lane receives will be silently copied to an external Gmail address. Lane will never see that rule unless they specifically check the email settings.

The attacker now has a map of the agency's relationships, its clients, its vendors, and its pending financial transactions.

9:11 AM — Inside the Account Management System (AMS)

Here is where it gets expensive.

Lane's credentials also open the door to Applied Epic. The attacker logs in, using the same single-sign-on pathway tied to the Microsoft account. They pull up active policies. They look for large commercial accounts with upcoming renewals or endorsements.  

They find a commercial property account with an outstanding $42,000 renewal invoice. The carrier's payment instructions are on file. The attacker screenshots everything and exits. No changes made; no flags triggered. Just reconnaissance.

9:19 AM — The Invoice Swap

Using Lane's actual email account, not a spoofed address, the real inbox, the attacker emails the insured's accounting department. The message threads directly below a prior legitimate conversation Lane had with them last week. It looks completely native to the relationship.

The message explains that the agency's banking partner has changed and provides updated wire instructions. The new account number routes to a fraudulent account. The request is warm, contextual, and sent from a known address. The accounting team has no reason to doubt it.

Wire fraud at the commercial level typically completes within one business day. That $42,000 lands in an account that will be drained before the agency's EOD.

9:28 AM — What Should Have Caught This

Here is the good news. Every step of this attack leaves a footprint, and modern security stacks can catch it.

Impossible travel detection flags the 9:04 AM login immediately. Lane authenticated from Raleigh at 8:47 AM. An authentication from a foreign IP 17 minutes later is physically impossible. A properly configured Microsoft Entra ID Conditional Access policy triggers an automatic session termination and alerts the agency's IT contact.

Anomalous inbox rule detection catches the forwarding rule the moment it is created. Microsoft Defender for Office 365 monitors new rules that route mail to external addresses, especially rules that are created outside normal business hours or from unfamiliar locations.  

AMS login anomaly monitoring flags the Applied Epic access if the agency's IT environment is integrated with a SIEM or if Applied Systems' own audit logging is being actively reviewed. A login from an unrecognized IP immediately following an alert-flagged M365 session is a flashing red light.

If any one of these detections fires and is acted upon before 9:28 AM, the wire transfer request never leaves the inbox.

The 30-Minute Window Is the Point

Attackers move fast because they know detection windows exist. The goal is to get in, gather intelligence, initiate fraud, and exit before anyone connects the dots.

Independent agencies are not soft targets because they lack sophistication. They are targeted because they sit at the intersection of high-value client data, premium payment flows, and lean IT teams. That combination is a premium opportunity for threat actors who do this for a living.

The NCDOI breach notification threshold is not the finish line. It is the consequence of missing every earlier flag.

Multi-Factor Authentication (MFA) enforcement, Conditional Access policies, inbox rule monitoring, AMS audit logging, and outbound email scanning are not enterprise luxuries. For an independent agency, they are the minimum viable security posture.

Net Friends helps Agencies layer the right defenses, so your detection window is always ahead of the attacker's next move. Let's talk about what is protecting your outbox right now.

Reach out to Net Friends today and let's make sure your cybersecurity stack is protecting you.