← Field NotesWhat attacks actually look like

A phished mailbox is a 90-day breach in slow motion

Anatomy of the most common pattern we see in our segment — what it looks like at week one, week three and week thirteen, and why most businesses only catch it at the end.

The QMC4 Cyber team3 min read

Most cyber attacks no longer announce themselves. They drift in through a phished mailbox, a dormant identity or a misconfigured cloud rule, and surface weeks later as a regulator’s letter or a client’s phone call. By then, the cost is no longer technical — it’s reputational, contractual and financial.

We see one shape of incident more often than any other. It’s worth describing in detail, because most businesses in our segment can recognise the early moves but only catch the late ones.

Week one: a credential changes hands

The starting point is almost always the same. A finance team member, a partner at a professional services firm, an executive assistant — somebody whose mailbox is interesting — receives a plausible email. It’s not a typo-riddled Nigerian-prince special. It’s a forwarded “invoice query” from a real supplier, or a DocuSign-styled request that looks like one your business actually uses.

They click. They land on a credential-harvesting page that’s a near-perfect clone of your sign-in screen. They sign in. The attacker now has a working session token.

If you have MFA configured well, this should be where it ends. Often, it isn’t.

Week two: the rules that nobody reads

The attacker doesn’t ransack the mailbox. They do three small things instead:

  • They create a mailbox rule that quietly forwards anything matching certain keywords (“invoice”, “payment”, “wire”, a supplier name) to an external address — and another rule that moves the originals straight to a sub-folder the user never opens.
  • They enrol a new MFA device of their own, often a phone or an authenticator app on a personal device.
  • They register an OAuth-app consent that grants persistent access to the mailbox without needing the password again.

None of this looks like an attack on the dashboard. It looks like hygiene noise. Most environments don’t review mailbox rules at all. Most don’t alert on new MFA devices unless the volume is large. And OAuth consents tend to live in their own neglected corner.

The attacker now reads every email about money, in real time, for as long as they want.

Week three to twelve: the patience phase

This is the part most defenders don’t model. The attacker waits. They read. They learn the cadence of supplier payments, the language your finance team uses, the names of the people who authorise wires. They map the relationships that matter for the last move.

Sometimes they sell access to another group at this point. Sometimes they keep it. Either way, the mailbox is now a surveillance asset.

We routinely find these footholds during onboarding for new Identity clients — accounts dormant in that exact pattern for two to four months.

Week thirteen: payday

The end of the story is always either an invoice or a wire.

The attacker waits for a known supplier’s real invoice to arrive, intercepts it via their forwarding rule, and re-sends a near-identical copy with their own bank details. Or they impersonate the partner / CFO / managing director, ask the finance team for an urgent payment to a “new supplier”, and supply just enough context to make it plausible.

The payment goes out. The recipient bank sometimes recovers some of it, often nothing. The finance team learns about it the next day, or the next week, or whenever the real supplier eventually asks where their money is.

That’s when the call to us tends to come.

What changes the story

Three controls turn this 90-day breach into a 90-minute incident.

Behavioural baselines on identities, not just rules. A user who suddenly enrols a new MFA device, then creates a forwarding rule, then registers an OAuth consent — that sequence is unusual for a specific person, even if no single step crosses a generic threshold. This is what our Identity service is built to see.

A monitored OAuth consent register. If you have visibility on every third-party app that has access to your mailbox tenant, you catch the persistence move at week two. Most businesses don’t.

Payment process discipline. No urgent payment to a new bank account, full stop, ever. Confirmation through a known phone number, not by replying to the email. The technical controls help, but the last line of defence is a finance team that knows the script.

The boring version of this post

If we wrote this for a regulator, the wording would be more neutral. The shape would be the same.

That’s the point of writing about it here. The thing that catches most businesses out isn’t a sophisticated nation-state attack. It’s a patient, well-rehearsed, very ordinary sequence run by people who do this for a living.

If you want a clear read on what your business looks like to that sequence, book a 30-minute risk review.