TL;DR

An Australian professional services firm with 120 staff was crippled by ransomware that entered through an illicit OAuth consent grant — not a phishing link, not a vulnerability, but a single "Accept" click on a seemingly legitimate Microsoft 365 app prompt. This case study walks through every stage of the incident response playbook, the logs that caught it, and the three controls that would have prevented it entirely.​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

RedSouth Advisory (composite, anonymised) is a mid-tier accounting firm in Melbourne. On a Tuesday morning in March 2026, staff arrived to find file shares encrypted with .locked extensions and a ransom note demanding 4.2 BTC. The initial reaction was disbelief — they had MFA enabled, EDR deployed, and quarterly phishing training. But the entry point wasn't a credential theft or a phishing email. It was an OAuth consent grant.

A threat actor registered a malicious multi-tenant Entra ID application named "SharePoint Sync Manager" with a convincing publisher display name. On the preceding Thursday, a finance team member clicked "Accept" on a consent prompt while reviewing what appeared to be a clie

nt document link. The app requested Mail.Read, Files.ReadWrite.All, and Sites.ReadWrite.All — enough scope to access every SharePoint site and OneDrive in the tenant.​‌‌​​‌​​‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

For four days, the attacker exfiltrated data via Microsoft Graph API calls, then deployed ransomware through a scheduled task pushed via Intune — which the compromised app had been granted access to as a delegated administrator.

Stage 1: Detection — What Triggered the Alarm

Detection came from two sources 30 minutes apart:

EDR alert: CrowdStrike Falcon flagged unusual schtasks.exe execution with encoded command-line arguments across three endpoints at 07:42 AEST.

Entra ID anomaly: Microsoft Entra ID Protection raised a sign-in risk event at 07:14 — a Graph API session originating from a Tor exit node (185.220.101.xx) accessing the /sites/{site-id}/drive/items endpoint at anomalously high volume.

Key artefacts pulled during detection:

  • Entra sign-in logs: Get-MgAuditLogSignIn -Filter "appId eq 'redacted-app-id'" revealed 14,000+ API calls over four days from 11 distinct source IPs, nine belonging to known proxy/Tor ranges.
  • M365 Unified Audit Log: Search-UnifiedAuditLog -RecordType AzureActiveDirectory -Operations "Consent to application" showed the consent event at Thu 15:32:07 AEST, recorded as ConsentType: Principal for the compromised user.
  • EDR telemetry: Lateral movement via PsExec from an workstation named WS-FIN-04 at 07:38, followed by vssadmin delete shadows /all /quiet across three servers.

Stage 2: Triage — Scope and Severity Assessment

The IR team classified this as Severity 1 — Critical based on:

  1. Active ransomware deployment across production file servers
  2. Confirmed data exfiltration (Graph API download logs showed 38 GB transferred)
  3. Potential for ongoing access through the persisted OAuth app

Triage queries executed in the first 60 minutes:

# Identify all users who consented to the malicious app
Get-MgServicePrincipal -Filter "displayName eq 'SharePoint Sync Manager'"
Get-MgOAuth2PermissionGrant -All | Where-Object {$_.ClientId -eq $maliciousAppId}

# DNS logs: check for C2 domain resolution
Get-DnsServerResourceRecord -ZoneName "redsouth.local" -RRType A | 
  Where-Object {$_.HostName -match "sharepoint-sync|graph-proxy|cdn-update"}

DNS logs revealed the malicious app's redirect URI resolving to login.microsoftonline.com (legitimate), but the refresh token was being used from an attacker-controlled session proxy at api[.]sharepoint-sync-manager[.]io.

Stage 3: Containment — Stopping the Bleed

Containment proceeded in parallel across identity, network, and endpoint layers:

Identity containment (0-30 min):

  • Revoked all refresh tokens enterprise-wide: Revoke-MgUserSignInSession -All
  • Removed the OAuth consent grant: Remove-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $grantId
  • Disabled the compromised service principal: Update-MgServicePrincipal -ServicePrincipalId $spId -AccountEnabled:$false
  • Blocked Tor/proxy exit nodes in Entra conditional access

Network containment (0-45 min):

  • Isolated affected VLANs at the firewall layer
  • Blocked outbound traffic to the C2 domain at DNS and perimeter proxy

Endpoint containment (0-60 min):

  • EDR network containment mode activated on all affected endpoints
  • Disabled the malicious scheduled task across the Intune-managed fleet

Stage 4: Eradication — Removing the Attacker's Foothold

Eradication required purging every persistence mechanism:

  1. Removed the malicious Entra application registration entirely from the tenant — not just disabled, deleted via Remove-MgApplication.
  2. Reset credentials for all 12 users whose mailboxes or OneDrive folders showed Graph API access, enforcing new passwords and re-registering MFA.
  3. Purged compromised Intune policies — the attacker had created a device configuration profile deploying the ransomware scheduled task. This required Remove-MgDeviceManagementDeviceConfiguration.
  4. Scanned all endpoints for residual persistence: registry run keys, WMI event consumers, and alternate data streams. Two endpoints had secondary scheduled tasks planted as backstops.

Stage 5: Recovery — Restoring Operations

RedSouth Advisory restored from immutable backups (Veeam with S3 Object Lock) taken the previous Saturday. Total downtime: 38 hours. Recovery sequence:

  1. Rebuilt three file servers from clean images
  2. Restored file shares from backup — validated against known-good checksums
  3. Re-joined endpoints to the domain with fresh credentials
  4. Monitored Entra sign-in logs for 72 hours for anomalous Graph API patterns before declaring clean

Stage 6: Lessons Learned — Preventive Controls That Would Have Stopped This

Three controls, had they been in place, would have blocked the attack at earlier stages:

1. OAuth Consent Policy (would have blocked at Stage 0): Entra ID allows administrators to restrict user consent to only verified publishers and low-risk permissions. Setting ManagePermissionGrantsForSelf-service-signup-applications to restrict consent to Classification: Low would have prevented the finance team member from granting Files.ReadWrite.All to an unverified app. This single policy — a 10-minute Entra configuration change — would have stopped the entire attack chain.

2. Conditional Access: Block Legacy Auth and Anomalous Locations (would have blocked at Stage 1): A conditional access policy blocking sign-ins from anonymous IP addresses (Tor exit nodes) and requiring compliant devices for Graph API access would have terminated the attacker's session within minutes of the first suspicious call.

3. EDR Detection of Graph API Abuse Patterns (would have detected at Stage 1): While CrowdStrike caught the ransomware deployment, an EDR or SIEM correlation rule flagging Files.ReadWrite.All scope usage from non-compliant devices or atypical volumes would have triggered an alert during the four-day exfiltration window — not just at the ransomware stage.

FAQ

How common are OAuth consent attacks against Australian SMBs? The Australian Cyber Security Centre (ACSC) reports that business email compromise and cloud account takeover — increasingly via OAuth abuse — remains the top threat for SMBs. OAuth consent phishing bypasses MFA entirely because the attacker never needs a password.

Can we block all third-party app consent in Microsoft 365? Yes, but it's a balance between security and productivity. The recommended approach is to allow user consent only for low-risk permissions from verified publishers, and require admin consent for anything else. This is configurable in Entra ID under Enterprise Applications → User settings.

What's the first log we should check if we suspect an OAuth compromise? Pull the M365 Unified Audit Log filtered by Consent to application and Add app role assignment to service principal operations. Then cross-reference with Get-MgServicePrincipal to identify any apps with excessive scope (Sites.ReadWrite.All, Mail.ReadWrite, Files.ReadWrite.All).

Conclusion

RedSouth Advisory's breach is a textbook example of how modern cloud attacks bypass traditional perimeter defences. The attacker never needed to phish a password or exploit a vulnerability — they needed one employee to click "Accept" on a consent prompt. The fix isn't more EDR or better phishing training. It's tightening the identity layer: restrict OAuth consent, enforce conditional access, and monitor Graph API usage patterns. These are free or low-cost configurations within existing Microsoft 365 licenses that most Australian SMBs haven't enabled.

Visit consult.lil.business for a free cybersecurity assessment — we'll check your Entra consent policies, conditional access rules, and audit log coverage in under an hour.

References

  1. ACSC — Email and Account Protection Guidance
  2. Microsoft — OAuth App Authorization in Microsoft 365
  3. NIST SP 800-61 Rev. 3 — Computer Security Incident Handling Guide

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation