← Back to Stories

The ransomware email that almost got through

How one convincing invoice email nearly cost a client six figures, and the three checks that stopped it in time.

JK
James Kirk
Senior Security Engineer

Last month, one of our clients in the logistics sector received an email that looked, in every visible way, like a routine supplier invoice. Correct company branding, a real supplier's name, even a plausible reference number tied to an actual recent order.

It wasn't routine. It was the opening move of a ransomware attempt, and it nearly worked.

How the email got close

The attacker had clearly done their homework. They'd pulled real invoice formatting from a previous, genuine exchange, likely from a prior breach of the supplier's own systems, and changed only the bank details and a malicious "view invoice" link.

The link led to a convincing fake Microsoft login page designed to harvest credentials, which would then have been used to access the client's email and, from there, move laterally into their file storage.

Incident timeline
09:14Email received, flagged "low confidence"
09:22Opened by accounts team, link not yet clicked
09:23MFA prompt triggers staff suspicion
09:25Reported to helpdesk, credentials reset
OutcomeNo compromise: contained in 11 min

The three things that stopped it

1. Multi-factor authentication. Even with a harvested password, the attacker would have hit a second wall. The unexpected MFA prompt was actually what tipped off the staff member that something was wrong.

2. A trained team. We run short, plain-English phishing awareness sessions quarterly. "Pause before you click, especially on anything urgent or financial" is the single habit that mattered most here.

3. A fast reporting path. The client knew exactly who to call and didn't hesitate. From report to full credential reset took under three minutes.

What we changed afterward

We tightened the client's email filtering rules around lookalike domains, added a banner warning on external invoices, and ran a short refresher session with the accounts team. None of it was expensive. All of it mattered.

If you're not sure whether your team would catch something like this, that's usually the first thing worth finding out, before an attacker does it for you.

Book a free security review More stories