American Association of State Colleges and Universities

CLIENT:

SERVICES:

The Challenge

In May 2025, DelCor was contacted regarding a security incident involving a possible account compromise at a mid-sized trade association. A staff member’s account had been blocked by Microsoft due to suspicious spam activity. The organization took some initial steps to mitigate the issue by issuing a password change for the compromised user and working with Microsoft to unblock the account. However, the full scope of the compromise had not been investigated by the organization, and we were asked to guide the effort to secure the organization.

The Process

We began with a thorough investigation into the breach, immediately recommending an organization-wide password reset and token refresh to prevent further exploitation. During our analysis of the activity logs, we identified a series of suspicious logins from locations outside the normal flow of traffic. The IP addresses of the suspicious logins were not associated with the staff member’s known travel history and were directly linked to the creation of a mailbox redirect rule and spam campaign, which had resulted in the account being blocked by Microsoft in the first place.

Further investigation revealed a malicious OneNote notebook titled with the organization’s name located in the staff member’s OneDrive. This notebook contained a phishing link disguised as a secure document, which redirected users to a credential harvesting site. It had been shared with hundreds of recipients and was the source of the spam that triggered Microsoft’s block. We immediately removed the notebook from OneDrive.

Based on the evidence, it was concluded that the attackers had likely gained access through a reverse proxy phishing attack, capturing the staff member’s credentials and multi-factor authentication (MFA) token. The malicious activity focused primarily on the mailbox, searching for sensitive financial documents such as unpaid invoices—a common tactic used to impersonate vendors and redirect payments. The attackers likely had access for weeks and upon determining there was no further gain from the attack, they launched a mass spam campaign, signaling the end of their use of the compromised account.

Services used for
this project

Cybersecurity

Digital Workplace

The Solution

With the malicious notebook removed and organization-wide credential reset completed, the immediate threat was neutralized. We recommended that the client notify their cyber insurance carrier about the breach and remediation efforts to ensure they remained compliant.

As part of our recommendations to aid the organization in maturing their cybersecurity posture and avoiding breaches in the future, we suggested they enhance their user awareness training with regular and frequent phishing simulations; implement phishing-resistant MFA across the organization; and upgrade their Office 365 licenses to leverage advanced security features like “Impossible Travel” and “Risky User Sign-in.”

This incident underscores the importance of proactive security measures and a rapid response to suspicious activity. The organization’s swift action and collaboration with DelCor helped contain the breach and strengthen their cybersecurity for the future.

“DelCor was a dedicated and collaborative partner on the technology segment of our financial audit. Their contributions were instrumental in ensuring that GIH kept abreast of the ever-evolving IT and cybersecurity requirements in these challenging times.”
—Elena Anderson, Director of Finance and Operations, Grantmakers in Health