Mitigatedinc-1024·MLMeridian Legal·started 48m ago
Suspected account compromise — j.chen@meridianlegal.ca
Impossible-travel sign-in correlated with SharePoint mass download and a suspicious inbox rule at Meridian Legal. Session revoked in 6 minutes.
IMPACT
Meridian Legal · 1 user, matters SharePoint site — exposure contained
CORRELATED ACROSS
EEntra IDDDefender XDRSSlackPPagerDuty
AI-suggested fix · based on 3 similar past incidents across your MSP
Likely root cause
Phished credentials followed by adversary-in-the-middle MFA bypass. Classic BEC playbook targeting law firms — mass download suggests data exfiltration before a follow-up wire-fraud email.
Recommended actions
- Revoke all active sessions + refresh tokens for j.chen@meridianlegal.ca.
- Delete the malicious inbox rule and audit others created in the last 24h across the Meridian tenant.
- Force MFA re-registration; require passwordless enrollment.
- Review /sites/matters download log for the last 7d; notify Meridian's DPO if PII exposed.
- Add 45.9.148.99 and its /24 to Meridian's Conditional Access block list.
ProOne-click actions
Timeline
- Risky sign-in — impossible travelj.chen@meridianlegal.ca signed in from Toronto (Chrome, Windows 11) and 6 minutes later from Bucharest (Chrome, Linux). Risk: high.
- MFA satisfied via unusual IPMFA prompt approved from 45.9.148.99 (Bucharest, DigitalOcean). Baseline is Toronto residential ranges.
- Alert: Suspicious inbox forwarding rule createdNew Outlook rule: forward all messages containing 'invoice' or 'wire' to external address. Classic BEC pattern.
- Alert: Mass file download from SharePoint218 files (12.4 GB) downloaded from /sites/matters in 90 seconds. Signals suggest scripted access.
- PagerDuty page — Northern Edge SecOps rotationAuto-paged secops-primary. Escalation: 5 min → secondary → security-lead.
- Slack Connect channel opened — #meridian-inc-1024Opsfluence posted a rich card with all 4 correlated events. Slack Connect channel shared with Meridian's IT lead.
- Session revoked · refresh tokens invalidatedPro-tier action: revoked all sessions, forced MFA re-registration, disabled malicious inbox rule.