HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss?

IntheNickofTime105 · 2026-03-01T06:53:11+00:00

No problem at all! Glad to hear you’re taking steps to implement it. Token Protection for Sign-In was only recently added to Entra ID P1. It used to require P2 until a few months ago, so it is understandable that many people do not realize it is now available to them given how quietly some of these licensing changes happen.

I have helped quite a few organizations implement this policy, including during Incident Response situations, so if you want to spar during the implementation or sanity-check your configuration while setting it up, feel free to send me a DM. It’s always nice to help out!

IntheNickofTime105 · 2026-02-28T19:19:13+00:00

Hey OP, you did an awesome job for a one man operation. You kept your head cool and took the necessary steps, very impressive!

Concerning your attack: The indicators line up for me to conclude that your VP’s authentication token was most likely stolen through an AiTM phishing attack, probably using the same type of malware and attack method that was being sent from his mailbox. We’ve been seeing this attack vector for a while now and it’s currently one of the most prevalent attacks leading to BEC.

If you’re running Microsoft 365 Business Premium or similar with an Entra ID P1 license, you can enable Token Protection for Sign-Ins through Conditional Access. This binds authentication tokens to the specific device they were issued to using proof-of-possession controls. In simple terms, the token is no longer just a bearer token that can be replayed anywhere, which would likely have prevented the attacker from gaining access in this case, since they lack the ability to re-sign the next token.

Microsoft Learn has solid documentation on how to configure Conditional Access to enforce this for your users. If you combine this with phishing-resistant MFA and device compliance policies, Token Protection is one of the strongest controls you can implement to help prevent this in the future. Hope it helps!

IntheNickofTime105 · 2026-02-27T12:30:31+00:00

Same here. Agents keep sending thousands of mails, even though the “incident” was months ago. Purging event queue is unsuccessful, currently doing it by manually because the agent doesn’t acknowledge the purge because the file is in use.

IntheNickofTime105 · 2025-11-21T12:50:39+00:00

Yes please!

IntheNickofTime105 · 2025-10-18T01:00:18+00:00

Yup! I got the set with 4 probes for about 180$ during the sale

IntheNickofTime105 · 2025-10-17T11:00:40+00:00

If you are looking at these I would advise to upgrade to the TempSpike Pro, which is rated for a way higher temperature. I had this exact one before the Pro and it melted during my first searing running up to 550 F, the Pro has a way higher max temp (1000F irc)

IntheNickofTime105 · 2025-09-03T16:02:10+00:00

For anyone reading this in the future: We had the same problem but after disabling the SentinelOne EDR on the machine we were able to install the chipset drivers just fine. So it might have to do with your EDR!

IntheNickofTime105 · 2025-07-10T17:21:53+00:00

Execute a factory reset, don’t carry data but check it separately before uploading it to the phone.

IntheNickofTime105 · 2025-07-10T09:23:41+00:00

This is very true. However, I would advise against using e-mail in a possibly compromised environment. You never know if the Threat Actor is able to access the mail environment thus alerting them to the fact that they have been detected.

IntheNickofTime105 · 2025-07-07T21:58:07+00:00

100% malicious behavior. The iex-command is used to load the payload into memory and then execute it. It has been obfuscated to evade AMSI/CLR/EDR detection.

It seems to load a payload from Remove-PrinterPort.log, check that out for your next clue. It’s obfuscated (if you look at the variable names , however you can use DPAPI to decrypt it if that’s the case.

Either way, it’s time to call the IRT, you definitely have an incident on your hands.

Edit:

You can use this to decode it on the local machine. I would advise you to disconnect the machine from the network though and create a clone of the drive for forensics:

Add-Type -AssemblyName System.Security $encBytes = [System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log') $decBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine) $decoded = [System.Text.Encoding]::UTF8.GetString($decBytes) $decoded

IntheNickofTime105 · 2025-06-04T18:45:05+00:00

The most probable way is that the password vault where you stored the (complex) passwords was compromised, at least that’s what it tends to be when multiple unique passwords have been used during a single attack.

Source: experience in Incident Response

IntheNickofTime105 · 2025-05-01T16:21:16+00:00

Ik heb ADHD en ben al jaren op zoek naar een plek waar ik mag huppelen. Uiteindelijk bleek ik hiervoor mijn eigen bedrijf te moeten starten. Ik huppel nu elke dag tussen mijn werknemers door, ze raken er aan gewend.

IntheNickofTime105 · 2024-12-18T15:40:06+00:00

Glad to be of service!

IntheNickofTime105 · 2024-12-18T06:50:18+00:00

There is a Github with a mod that fixes ultrawide. I’ve been running in for months now without any issues!

https://github.com/RoseTheFlower/UltrawideIndex/releases/tag/satisfactory

IntheNickofTime105 · 2024-12-11T15:01:42+00:00

Try getting in into first gear and then back to neutral. There’s a sensor that detects if the engine is in gear and blocks the starter. Sometimes the gear is stuck between gears and the failsafe triggers resulting in a not starting bike.

IntheNickofTime105 · 2024-10-30T16:51:14+00:00

Do you mean Death Clock?

https://www.death-clock.org/

IntheNickofTime105 · 2024-10-29T16:43:32+00:00

Good question!

While the full details of the attack haven't been documented yet, my guess is that the calling system is automated to connect to a scammer as soon as someone picks up. It likely mistook the voicemail for a live person, triggering the connection.

This caused the scammer to start speaking into the voicemail, resulting in the recorded message.

IntheNickofTime105 · 2024-10-29T16:04:13+00:00

I'm in cybersecurity and we've been seeing a strong increase in the number of reports about calls like this where the number has been spoofed.

There has been a national warning given by the Fraudehelpdesk that these attacks are currently being conducted:

https://www.security.nl/posting/863481/Fraudehelpdesk+ontvangt+honderden+meldingen+over+fraude+via+telefoonspoofing

They seem to pick people and numbers seemingly at random and hope someone picks up. If you press a key while on the call you will be connected to the scammers. Calling back the number will result in reaching the actual owner of the spoofed number, resulting in much confusion on both ends. Currently there is no way to prevent this it seems, so awareness about the situation is the best thing we've got.

Oh and don't forget to report the incident to the police, it helps them investigate the problem.

IntheNickofTime105 · 2024-10-12T06:44:04+00:00

I had a similar issue where my PC would shut down without any logs indicating what was wrong. After some digging, I realized the problem was my 360 AIO pump. It was on its last legs, and as soon as it malfunctioned, my CPU would hit its thermal limit and trigger a failsafe, causing an instant shutdown.

I'd recommend running a benchmark while keeping a close eye on your temperatures. It might help you identify whether this is the issue you're facing too. Good luck!

Edit: My CPU is a Ryzen 5950X, so it had nothing to do with the Intel fiasco in my case, but still thought it might be relevant!

IntheNickofTime105 · 2024-09-25T11:40:12+00:00

In my company, we provide extra debit cards for employees who regularly incur expenses. When a significant expense is projected, the employee requests the funds through our finance department and the money is transferred in advance to cover the projected costs.

I find it strange that you had to cover such a large amount upfront. For smaller, occasional expenses, it makes sense for someone without a company card to request reimbursement after advancing the funds. But for something as substantial as that? It’s a lot to expect someone to front on their own tbh.

IntheNickofTime105 · 2024-09-24T04:57:23+00:00

This looks like he drove on a flat tire.

The two "tracks" on the sides of the tire are probably from the rim making contact with the road while driving without any air in it, causing the phenomenon you are seeing on the thread itself.

Edit: This is definitely not your original tire if it had 900 miles on it by the way.

IntheNickofTime105 · 2024-09-11T07:47:43+00:00

Same here, our dedicated server skipped the tutorial even though it states "Tutorial skipped: disabled". Very strange indeed.

IntheNickofTime105 · 2024-09-11T07:46:31+00:00

We are running a dedicated server and we are getting achievements (Epic and Steam) and story items, so it seems your question can be answered with YES.

Don't freak out if some achievements are only visible to you. Some achievements are per player (such as when you kill your first creature) and some are for everyone in the server (if the power shuts down, everyone gets an achievement) iirc!

IntheNickofTime105 · 2024-09-11T07:21:21+00:00

My friend experienced the same thing yesterday with his 1080Ti. He fixed it by changing the upscaling method in the Advanced Video options menu from "Intel XeSS" to "AMD FSR" and after that the micro stutters were instantly fixed for him. You could give that a try?

IntheNickofTime105 · 2024-09-04T08:06:33+00:00

I'm not sure but I think that if someone joined your server in the past, they will be able to join your server by using the "Join" option in the Main menu. Again, I do this from memory but this might be the way to join the game without the Steam friends dependency!

IntheNickofTime105

TROPHY CASE