Signed in asNorthern Edge IT·Toronto, ON·22 customers managed
← All incidents
Mitigatedinc-1024·MLMeridian Legal·started 48m ago

Suspected account compromise — j.chen@meridianlegal.ca

Impossible-travel sign-in correlated with SharePoint mass download and a suspicious inbox rule at Meridian Legal. Session revoked in 6 minutes.
IMPACT
Meridian Legal · 1 user, matters SharePoint site — exposure contained
CORRELATED ACROSS
EEntra IDDDefender XDRSSlackPPagerDuty
AI-suggested fix · based on 3 similar past incidents across your MSP

Likely root cause

Phished credentials followed by adversary-in-the-middle MFA bypass. Classic BEC playbook targeting law firms — mass download suggests data exfiltration before a follow-up wire-fraud email.

Recommended actions

  1. Revoke all active sessions + refresh tokens for j.chen@meridianlegal.ca.
  2. Delete the malicious inbox rule and audit others created in the last 24h across the Meridian tenant.
  3. Force MFA re-registration; require passwordless enrollment.
  4. Review /sites/matters download log for the last 7d; notify Meridian's DPO if PII exposed.
  5. Add 45.9.148.99 and its /24 to Meridian's Conditional Access block list.

ProOne-click actions

Timeline

  1. EEntra ID·22:46·48m ago·riskySignIn:impossibleTravel
    Risky sign-in — impossible travel
    j.chen@meridianlegal.ca signed in from Toronto (Chrome, Windows 11) and 6 minutes later from Bucharest (Chrome, Linux). Risk: high.
  2. EEntra ID·22:48·46m ago·authenticationMethod:phoneApp
    MFA satisfied via unusual IP
    MFA prompt approved from 45.9.148.99 (Bucharest, DigitalOcean). Baseline is Toronto residential ranges.
  3. DDefender XDR·22:49·45m ago·SuspiciousInboxForwarding
    Alert: Suspicious inbox forwarding rule created
    New Outlook rule: forward all messages containing 'invoice' or 'wire' to external address. Classic BEC pattern.
  4. DDefender XDR·22:50·44m ago·MassDownload
    Alert: Mass file download from SharePoint
    218 files (12.4 GB) downloaded from /sites/matters in 90 seconds. Signals suggest scripted access.
  5. PPagerDuty·22:51·43m ago·incident.trigger
    PagerDuty page — Northern Edge SecOps rotation
    Auto-paged secops-primary. Escalation: 5 min → secondary → security-lead.
  6. SSlack·22:52·42m ago·chat.postMessage
    Slack Connect channel opened — #meridian-inc-1024
    Opsfluence posted a rich card with all 4 correlated events. Slack Connect channel shared with Meridian's IT lead.
  7. EEntra ID·22:56·38m ago·revokeSignInSessions
    Session revoked · refresh tokens invalidated
    Pro-tier action: revoked all sessions, forced MFA re-registration, disabled malicious inbox rule.