Background
A Manila-based digital marketing agency managing social media, paid advertising, and influencer campaigns for 60+ brands across Southeast Asia and the US experienced a business email compromise (BEC) attack that cost one of their enterprise clients USD $47,000 in fraudulent Google Ads spend.
The incident: an agency employee’s email account was compromised via a phishing email. The attacker monitored the compromised account for 2 weeks before acting — identifying the agency’s access to a US consumer goods client’s Google Ads account. The attacker then logged into Google Ads using the agency employee’s credentials and redirected $47,000 in ad spend to fraudulent campaigns over a 72-hour period before the client noticed.
Following the incident, the agency faced:
- Loss of the affected client (contract terminated)
- Two other enterprise clients requiring security certification before continuing
- Potential liability for the stolen ad spend
- Reputational damage in their agency network
The agency’s IT setup: Microsoft 365 for email and collaboration, 80 Windows endpoints, Google Workspace for some clients, and access to 200+ social media and advertising platform accounts.
Security Assessment
CyberneticsPlus conducted a 3-day security assessment before proposing the Managed SOC:
Findings:
- No EDR on employee endpoints (Windows Defender only — no centralised management)
- Microsoft 365 email security at E1 tier (no Defender for Office 365 Plan 2, no anti-phishing policies)
- No MFA on 23 of 80 employee accounts
- Shared passwords for client social media accounts stored in a shared Google Sheet (accessible to all 80 employees)
- No Security Information and Event Management (SIEM) or log monitoring
- No incident response plan
The root cause of the original compromise: the phishing email bypassed the default Exchange Online Protection, the employee had no MFA, and there was no monitoring to detect the 2-week account activity by the attacker.
Managed SOC Deployment
Phase 1: Immediate Security Uplift (Week 1)
Before the Managed SOC could operate effectively, baseline security needed to be in place:
- MFA enforced for all 80 Microsoft 365 accounts (Conditional Access policy)
- Microsoft Defender for Office 365 Plan 2 enabled: Safe Links, Safe Attachments, anti-phishing policies, attack simulation training
- CrowdStrike Falcon EDR deployed to all 80 endpoints
- Privileged Access Workstation (PAW) concept implemented for the 5 employees with access to enterprise client ad accounts — these accounts required MFA re-authentication before accessing any advertising platform
Phase 2: Managed SOC Integration (Week 2)
Log sources connected to the SIEM:
- Microsoft 365: Sign-in logs, audit logs, email security events
- CrowdStrike Falcon: Endpoint telemetry, process execution, network connections
- Azure AD: Authentication events, conditional access decisions
- Google Workspace: Login events for the 4 employees with Google Workspace access
Detection rules configured for the agency’s specific risk profile:
Rule: Email account accessed from new country
Trigger: Microsoft 365 login from country not seen in previous 30 days
Action: Alert + automatic MFA challenge forced
Rule: Advertising platform access from outside business hours
Trigger: Access to Google Ads, Meta Ads, or LinkedIn Campaign Manager
between 8 PM and 7 AM Philippines Time (UTC+8)
Action: Alert + require re-authentication
Rule: Mass email deletion or forwarding rule creation
Trigger: More than 20 emails deleted from inbox OR new email forwarding rule created
Action: Critical alert + account temporarily suspended pending review
Rule: Unusual login pattern (velocity)
Trigger: Same account accessing more than 5 different platforms within 10 minutes
Action: High alert24/7 monitoring coverage: CyberneticsPlus SOC analysts cover all alerts across shifts — including Philippine public holidays.
Phase 3: Client-Facing Security Posture (Month 2)
Two enterprise clients requiring security certification:
- SOC evidence package prepared: CrowdStrike deployment verification, MFA compliance report, Managed SOC SLA documentation
- Security briefing call conducted by CyberneticsPlus with both clients’ IT security contacts
- Both clients renewed contracts after reviewing the security programme
Results (First 6 Months)
Incidents detected and contained:
Month 1: CrowdStrike detected PowerShell execution on a design team employee’s laptop. SOC alerted within 4 minutes. Analyst investigated — confirmed malicious document-based macro. Endpoint isolated, incident contained within 22 minutes. No lateral movement.
Month 3: SOC detected a Microsoft 365 login from a Nigerian IP for a senior account manager’s account. Account suspended within 8 minutes of alert. Password reset, MFA re-enrolled. Investigation confirmed phishing link had been clicked 6 hours earlier — the attacker had been in the account for 6 hours before attempting to access client assets.
Month 4: After-hours access to a client’s Google Ads account triggered an alert. Investigation confirmed it was a legitimate campaign team member working late — false positive. Analyst called the employee to confirm before clearing.
Programme metrics (6 months):
- Total security events monitored: 2.4 million
- Alerts generated: 847
- True positives: 31 (3.7% true positive rate)
- Mean time to alert: 4 minutes
- Mean time to response (analyst acknowledges + investigates): 18 minutes
- Incidents contained: 2 significant (PowerShell execution, account compromise)
- Successful breaches: 0
Business impact:
- Both enterprise clients retained (combined annual contract value: $180,000)
- 3 new enterprise clients cited the agency’s SOC certification in their vendor selection
- Agency’s cyber insurance premium reduced by 22% at renewal (underwriter cited MDR coverage and MFA enforcement)
- Incident response confidence: agency’s CEO described the previous BEC incident as “flying blind” compared to the current visibility