TL;DR

A 120-person professional services firm in Melbourne lost $340,000 to a business email compromise (BEC) attack that entered through an illegitimate OAuth consent grant. This walkthrough traces every stage of the incident response — from the first EDR alert to the final lessons-learned session — with the actual log artefacts an analyst would pull at each phase. Three preventive controls at the end would have stopped the attack before the attacker ever saw a mailbox.​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

Meridian Partners is a composite based on real-world patterns. The firm runs Microsoft 365 E3, uses a single Entra ID tenant, and had Conditional Access policies covering only VPN and admin portals — not OAuth application grants.

Timeline of attack:​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

  • Day 0 (14 March): A finance team member clicks a "DocuSign – Review Document" phishing link. The landing page requests OAuth permissions to a legitimate-looking app called "SharePoint Sync Manager." She clicks Accept.
  • Day 1–12: The attacker uses the delegated access token to read her mailbox silently via Microsoft Graph API. No MFA challenge fires because the consent grant operates under the user's already-authenticated session.
  • Day 13: The attacker finds an active email thread with a conveyancing client regarding a property settlement. A spoofed follow-up email redirects the client to pay $340,000 into a controlled account.
  • Day 15: The client phones Meridian to confirm receipt. Finance checks. The money is gone.

Stage 1: Detection

The first indicator came not from a SIEM alert but from a human — the client's phone call. Once the finance team escalated, the IT lead pulled three artefact sets simultaneously.

EDR alerts (CrowdStrike Falcon):

Detection: Suspicious PowerShell Download
Severity: Low (informational)
Host: FIN-LPT-042
Timestamp: 2026-03-14 09:41:12 AEDT

This alert had been auto-resolved because the user was local admin on her laptop — a finding that would resurface in lessons learned.

Entra ID Sign-in Logs:

Get-MgAuditLogSignIn -Filter "appId eq '3d5b124e-xxxx-xxxx-xxxx-xxxxxxxxxxxx'" -All

The query revealed Graph API sign-ins from an IP geolocated to a Bulgarian hosting provider, spanning Days 1–13, all authenticated via the OAuth refresh token — no interactive sign-in required.

M365 Unified Audit Log:

Search-UnifiedAuditLog -Operations "MailItemsAccessed" -UserIds "[email protected]" -StartDate "2026-03-14" -EndDate "2026-03-26"

Hundreds of MailItemsAccessed operations confirmed the attacker had read every email in Sarah's inbox, including attachments, over 12 days.

Stage 2: Triage

The IT lead classified this as a P1 — Active Compromise with Financial Impact using the ACSC's incident severity framework. Key triage actions:

  1. Scope the OAuth grant. Ran Get-MgServicePrincipal -All to enumerate all consented applications. Found "SharePoint Sync Manager" with Mail.Read, Mail.ReadWrite, and User.Read delegated permissions — granted by three users, not just Sarah.
  2. Check lateral movement. Searched the Unified Audit Log for Add-MailboxPermission and New-InboxRule operations. Found no mailbox forwarding rules, but did find the attacker had accessed two additional mailboxes via shared mailbox permissions Sarah held.
  3. DNS log review. Queried the firewall DNS proxy for graph.microsoft.com lookups from non-standard sources during the attack window. Confirmed consistent API polling from the Bulgarian IP block.

Stage 3: Containment

Immediate actions within the first 4 hours:

  • Revoke the OAuth grant: Remove-MgServicePrincipal -ServicePrincipalId <objectId> for the malicious app, then Revoke-MgUserSignInSession for all three affected users.
  • Force password reset and re-register MFA for all three accounts.
  • Block the attacker IP range at the firewall: 203.0.113.0/24 (anonymised).
  • Enable Conditional Access for OAuth app consent: Set admin consent required for any application requesting Mail.Read or higher.
  • Preserve artefacts: Exported Entra audit logs, M365 audit logs, and EDR telemetry to a secure evidence container with hash verification.

Stage 4: Eradication

Over the next 48 hours:

  • Removed residual delegated permissions and verified no other suspicious service principals existed.
  • Rebuilt Sarah's laptop from a known-clean image (the EDR alert suggested possible local tooling).
  • Rotated all service account credentials and app registration secrets in the tenant.
  • Engaged the firm's bank and the Australian Federal Police via the ACSC's reporting portal to initiate recovery of the misdirected funds.

Stage 5: Recovery

  • Restored mailbox integrity by confirming no inbox rules or delegates were added by the attacker.
  • Communicated transparently with the affected client, providing a full incident timeline.
  • Engaged an external forensic firm to validate the eradication scope — a critical step for liability and insurance purposes.

Stage 6: Lessons Learned

Three root causes emerged:

  1. No admin consent policy for OAuth. Any user could consent to any application requesting mail access.
  2. Conditional Access did not cover token-based access. Policies only enforced MFA for interactive VPN and admin portal logins.
  3. Users had excessive local admin rights. The initial EDR alert was auto-dismissed because the user was a local admin — a false-negative that delayed detection by 15 days.

Three Preventive Controls That Would Have Blocked This Attack

1. Entra ID Admin Consent Policy (blocks at Day 0) Require admin approval for any third-party application requesting Microsoft Graph permissions above a minimal baseline. Navigate to Entra ID > Enterprise applications > Consent and permissions > Admin consent workflow. This single control would have prevented Sarah from granting access.

2. Conditional Access: Token and App-Enforced Controls (blocks at Day 1) Create a policy targeting "Cloud apps > Office 365 Exchange Online" with the condition "Client app types > Mobile apps and desktop clients" and enable "Require device to be marked as compliant." This forces MFA and device trust even for token-based API access — closing the gap that let the attacker poll Graph API for 12 days without challenge.

3. OAuth Application Monitoring and Alerting (detects at Day 1) Deploy a scheduled query — either via Microsoft Sentinel or a scripted Get-MgServicePrincipal baseline — that alerts on any new application consent grant with Mail.Read or higher within 24 hours. Detection on Day 1 would have prevented the $340,000 loss entirely. For SMBs without Sentinel, the free Microsoft Defender for Cloud Apps discovery dashboard provides OAuth app anomaly detection out of the box.

FAQ

How common is the OAuth consent grant attack vector for Australian SMBs? Extremely common. The ACSC's 2024-2025 threat report noted that credential and identity-based attacks account for over 70% of incidents affecting Australian organisations. OAuth abuse is a subset of this, and Microsoft reports consent grant phishing has increased 3x year-on-year in APAC tenants.

Do we need Microsoft Sentinel to detect this, or can we do it with included tooling? You can detect it with included tooling. The M365 Unified Audit Log and Entra sign-in logs are available on E3 and above. A weekly PowerShell script exporting new OAuth grants and comparing against an allowlist is a zero-cost starting point. Defender for Cloud Apps (included in Microsoft 365 Business Premium) adds automated anomaly detection.

What should we do right now, today, to reduce our exposure? Three actions you can complete in under an hour: (1) Enable "Require admin consent for applications" in your Entra ID tenant. (2) Audit existing OAuth grants by running Get-MgServicePrincipal -All and reviewing any application you do not recognise. (3) Ensure Conditional Access policies cover all cloud apps, not just admin portals.

Is this type of attack covered by cyber insurance? Most cyber liability policies cover BEC losses, but coverage depends on whether the organisation can demonstrate reasonable security controls were in place at the time of the incident. Having an admin consent policy and logging enabled significantly strengthens a claim. Contact your broker to confirm your policy's specific requirements.

Conclusion

The Meridian Partners incident is not an edge case — it is the template for how Australian SMBs are being compromised in 2026. The attacker used no zero-days, no custom malware, and no nation-state tooling. They abused a legitimate Microsoft authentication mechanism and a lack of administrative guardrails. The fix is not expensive. It is operational discipline: consent policies, Conditional Access, and monitoring.

If your organisation has not reviewed its OAuth consent configuration in the last 90 days, treat that as a P1 gap. Visit consult.lil.business for a free cybersecurity assessment — we will audit your Entra ID tenant, review your Conditional Access posture, and give you a prioritised remediation plan within 48 hours.

References

  1. Australian Cyber Security Centre — Annual Cyber Threat Report 2024-2025
  2. Microsoft — OAuth 2.0 and App Consent in Entra ID
  3. NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
  4. SonicWall 2026 Cyber Protect Report — SMB Threat Landscape
  5. IBM Cost of a Data Breach 2025 Report

Hackers Can Now Rob Your Business in 72 Minutes (And How to Make That Really Hard)

TL;DR

  • AI now lets hackers get into your business and steal your data in as little as 72 minutes — four times faster than last year.
  • Most of the time, they get in using stolen passwords, not fancy hacking tools.
  • Three things fix most of it: better passwords + two-factor login, a security check-up on your settings, and an alert system so you know fast when something's wrong.

Imagine your business is a house. Last year, a burglar would break in, then spend hours quietly walking around before grabbing anything — plenty of time for a neighbour to notice and call the police.

This year? That same burglar has a robot helper that does everything at once. One robot tests every window. Another picks the lock. A third is already loading the van. The whole job now takes 72 minutes, not five hours.

That's exactly what new research from cybersecurity company Palo Alto Networks found [1]. Their team studied over 750 real cyberattacks and discovered that hackers with AI tools can now get into a business and steal data in just 72 minutes. Last year it took about five hours. The year before, even longer.

How Are They Getting In?

Here's the part that should actually reassure you: most of the time, they're not using some super-sophisticated secret weapon. They're using your password.

Two out of three attacks started because someone clicked a dodgy link or used a weak password that got guessed or stolen [1]. The research found that stolen logins were involved in the majority of breaches — not high-tech hacking [2].

Think of it like this: a burglar doesn't need to pick your lock if you leave the key under the doormat. Most attacks work because of the digital equivalent of a key under the mat.

The other big one? Settings that weren't configured properly. Nine out of ten breaches happened because of a misconfiguration or a gap in security — not because hackers cracked some unbreakable code [1]. That's doors left unlocked, not vaults being drilled open.

So What Do I Actually Do?

Three things close the biggest gaps.

1. Two-factor login everywhere (MFA)

This is your single biggest return. Even if a hacker steals your password, two-factor login (where you also have to approve via your phone) stops them getting in. It's like having a second lock — even if they copy your key, they can't open the door without your fingerprint.

Turn it on for: your email, your accounting software, your cloud storage, your website admin. All of it.

2. Check your settings

Schedule one hour this month to go through your accounts and ask:

  • Do my staff have access to things they don't need?
  • Are any services open to the internet that shouldn't be?
  • Are any passwords still on default?

This is the digital equivalent of checking all your windows are shut before you go to sleep. Not glamorous. Extremely effective.

3. Set up alerts so you find out fast

If someone logs into your email from another country at 3am, you want to know immediately — not three weeks later. Most email and cloud services let you turn on login notifications for free. Do it now.

The faster you know something's wrong, the less damage gets done. A breach caught in 30 minutes causes far less damage than one caught after a week.

The Good News

Here's the thing: fast attacks exist because AI helps hackers automate the boring parts. But AI can also help defenders. And more importantly, most attacks still rely on the same old entry points — weak passwords and misconfigured systems.

Fix those two things, and you've closed the door on the majority of attacks. You don't need an enterprise security team. You need good habits and basic tools — set up properly.

lilMONSTER helps small businesses do exactly this: an honest look at your current setup, fix the most important gaps, and build something that grows with your business. Protecting what you've built doesn't have to be complicated.

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] Palo Alto Networks Unit 42, "2026 Global Incident Response Report," Palo Alto Networks, Feb. 2026. [Online]. Available: https://unit42.paloaltonetworks.com/

[2] SecurityBrief Australia, "AI-fuelled cyber attacks now steal data in 72 minutes," SecurityBrief AU, Feb. 2026. [Online]. Available: https://securitybrief.com.au/story/ai-fuelled-cyber-attacks-now-steal-data-in-72-minutes

[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Ready to close the gaps before someone else finds them? Book a free 30-minute security check-up with lilMONSTER.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation