Small businesses are the most common ransomware target by volume of incidents, even though many small business owners assume hackers focus on larger organizations. A 22-person company has enough revenue to be worth attacking, no dedicated security team to defend it, and a publicly traceable footprint that takes about an hour to research.
What follows is a step-by-step walkthrough of how a small business gets attacked, written from the attacker’s side. The company in this account is composite, but the methods are accurate to current threat intelligence reporting. After the walkthrough, you’ll see five specific points where the attack would have been stopped by controls that come bundled with security tools most small businesses already pay for.
Monday: how I picked you
I work regular hours and run a small volume operation. My spreadsheet has about 40 prospects per month, and I prefer businesses between 10 and 50 staff. The reason for that range is economics. Large enterprises have security teams, incident response contracts, and lawyers who make recovery expensive on my end. At the other end of the scale, sole traders rarely have enough at stake to bother with. A 22-person commercial services company sits in the right zone: payroll, customer database, project files, supplier relationships, and an owner who will pay to get the lot back. The return per hour is better at this size than at either extreme.
I did not find you through a breach or a tip. I found you on a public business records portal. State business registries, federal contract awards, and county-level licensing databases publish enough detail for me to identify your company, look up your name, estimate your revenue, and pick the most useful person inside the business. One search told me your company name, your registered agent, the contract value of a recent municipal job, and the named contact on the submission.
The fact that nothing has gone wrong at your company yet is the strongest signal I get. It tells me your credentials are probably still valid, your staff has not been trained to spot anything, and nobody has had a reason to change a password. A clean record is the first indicator I look for.
Tuesday: building your org chart for free
I spend about 40 minutes researching your company today using only a browser.
LinkedIn gives me eight of your current employees with their job titles listed. Your office manager has been there for six years and lists “accounts payable, payroll, and supplier invoicing” in her profile summary. Your second admin joined 14 months ago. You list yourself as director, with a sparse profile and a low connection count, which tells me you are unlikely to notice when someone unusual starts engaging with your profile or your company’s social media.
Public business filings confirm your registered business name and your full legal name. A “meet the team” post from two years ago on your Facebook page lists first names and photos, including someone described as helping out in the office a couple of days a week. One of the commenters shares your surname.
I now know who handles your money, what their name is, how long they have been there, what software they probably use (I will check your job ads on Indeed for the phrase “experience with QuickBooks or Sage”), and who in your business has the authority to approve a payment without a second signature.
That last person is my primary target. You are harder to reach and probably more cautious. Your office manager has system access, handles supplier payments, and is busy enough that one more email in her inbox does not get scrutinized the way it might if she had nothing else to do.
I have not spent a dollar yet.
Wednesday: I bought your credentials for $14
Stealer logs are credential packages harvested by infostealer malware that infected someone’s personal device, often months or years earlier. The malware records every username and password typed into the machine, then bundles the data for sale. Marketplaces on Telegram channels and forums let buyers search these logs by company email domain.
I search for your company’s email domain. Two results come back. One is your office manager’s work email, with a password that looks like it was saved in her browser. The other is a personal Gmail address that appears to belong to a family member of yours, probably from a device that shared a home network.
I pay $14 for the package. It takes four minutes.
Your office manager’s password follows a common pattern: a pet or child’s name combined with a year and an exclamation mark. I check it against HaveIBeenPwned, which is the same free database security professionals use, and find that it appeared in a credential dump from a retail loyalty program breach three years earlier. The password has not been changed since.
Your family member’s credentials are more interesting than they look at first. The same password, with minor variations, shows up across a streaming service, a gaming account, and your company’s Microsoft 365 login. The password works. The only thing standing between me and the inbox is the second factor.
Total spend so far: $14.
Thursday: getting past your MFA
Multi-factor authentication stops a lot of attacks, but the implementation matters more than the checkbox.
Simple push-notification fatigue does not work against your office manager’s account. Microsoft enabled number matching by default for all Microsoft Authenticator push notifications in May 2023, which means she would have to type a code from her login screen rather than just tap approve. Push bombing fails against that configuration.
What still works is adversary-in-the-middle (AiTM) phishing. I send your office manager an email designed to look like a routine Microsoft 365 password reset notification, citing the breach that her password appeared in (the same breach I found her credentials in earlier in the week). The link in the email takes her to a page that mirrors the real Microsoft sign-in screen. That page is a proxy I control.
When she enters her password and approves her MFA prompt, my proxy forwards both to the real Microsoft login server. Microsoft validates the credentials, completes the MFA challenge, and issues a session token back to my proxy. I capture the token. She sees a normal login experience on what she thinks is the real Microsoft site, then a “password updated successfully” message.
I am now signed in as her. The MFA prompt succeeded, and the session token sits in my browser instead of hers. Microsoft sees a valid authenticated session and treats my activity as legitimate.
I had a backup plan in case the email did not get clicked. Earlier in the day, I called your office posing as your IT support company, using a name I found in a Google review you had left 18 months earlier. I told your receptionist that we were seeing unusual login activity on the office manager’s account and that I would need her to approve a verification push in the next few minutes. She said the office manager was not at her desk. I said no problem, I would try again later. The call cost me nothing.
By Thursday night, I am inside your office manager’s Microsoft 365 account. I set up an inbox forwarding rule so her emails copy to an address I control without notifying her, then I wait.
Friday 2:47pm: why I waited 36 hours before encrypting
I spend 36 hours reading email before I encrypt anything. That dwell time is how I size the ransom correctly.
In those 36 hours, I find your cyber insurance policy attached to an email from your broker, with a cyber liability sub-limit of $250,000. A bank reconciliation your office manager sent you two weeks ago shows your business account at around $180,000 at month end. Your customer list sits in a quote template she emailed to herself, and a message thread with a municipal project manager mentions a job starting in three weeks with a hard deadline you cannot afford to miss.
I set my ransom at $65,000 in cryptocurrency. That figure is low enough that you will pay rather than fight it, high enough that it is worth my time, and well within what I know you can access. Ransoms set above 10 percent of visible liquid assets tend to get contested. The figure I picked sits below that line.
I deploy the encryption payload at 2:47pm on Friday. The timing is deliberate. Your bookkeeper finishes at 3pm on Fridays, which I know from an out-of-office reply I saw in the forwarded emails. You are on a job site, with your calendar synced to the shared inbox. The person most likely to notice something wrong and call for help is already gone, and the person with the authority to make decisions is unreachable.
By the time anyone understands what has happened, it is a Friday evening, every file on your shared drive is encrypted, and a ransom note sits on every screen in your office.
Total cost to me: $14 for credentials and about six hours of work spread across the week.
Five places this attack would have died
The attack on your business worked because five ordinary things were not in place. None of them were expensive. Most were already bundled into security tools you already pay for.
1. The credential purchase on Wednesday.
HaveIBeenPwned is free. Microsoft Entra password protection can detect and block reused or commonly-compromised passwords across your accounts. Enforcing unique passwords per account, through a password manager and through Entra’s policies, makes a stolen credential purchase useless for me.
2. The MFA bypass on Thursday night.
Microsoft already blocks the simpler push-bombing attack, because number matching has been enabled by default for all Microsoft Authenticator push notifications since May 2023. The current dominant credential-based bypass is adversary-in-the-middle phishing. Defenses include phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a compliant or hybrid-joined device, and anti-phishing protection in Microsoft Defender for Office 365. Any one of these would have either prevented the session token capture or made the captured token unusable from my IP address.
3. The inbox forwarding rule.
Microsoft 365 allows admins to block external email forwarding rules at the tenant level. With that block in place, the inbox forwarding rule I used to read 36 hours of email would not have worked. I might have encrypted anyway, but I would have been guessing on the ransom size.
4. The 36-hour dwell time.
Microsoft Defender for Business, included in Microsoft 365 Business Premium, generates an alert when a new inbox forwarding rule is created. If anyone had been watching those alerts, or if the alerts had been routed somewhere visible, I would have been detected on Thursday night. The most impactful change for a business your size is rarely a new product purchase. The improvement comes from someone reviewing the security alerts that the tools you already pay for are already generating.
5. The public business records.
You cannot unpublish a state contracting registry or a federal contract award. That data will stay public. What you can control is what your team chooses to post about their specific responsibilities. Your office manager’s LinkedIn profile listed her financial responsibilities in enough detail to make her the obvious target. That detail is worth a conversation with your team, framed as practical security awareness rather than a rule about what people can post.
Three questions to send your IT provider
These three questions cover most of where the example attack failed. Each one corresponds to a control that comes bundled with security tools you most likely already pay for.
- Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins?
- Is external email forwarding blocked at the tenant level?
- Are our security alerts going somewhere, and is someone reviewing them?
Frequently asked questions
Do hackers target small businesses?
Yes. Most ransomware operations target small and mid-sized businesses because the ratio of payout potential to defensive resources is higher than at either extreme of company size. The volume sweet spot is roughly 10 to 50 staff, where there are assets worth encrypting but no dedicated security team to defend them.
What is adversary-in-the-middle (AiTM) phishing?
AiTM phishing is a technique where the attacker hosts a proxy page that mirrors a real login screen, such as Microsoft 365 or Google Workspace. When the user enters credentials and approves the MFA prompt, the proxy captures the resulting session token. The legitimate service treats the login as successful, but the session token ends up in the attacker’s browser. AiTM has become the dominant credential-based attack vector against Microsoft 365 tenants after the default rollout of number matching ended simpler push-bombing attacks.
What is a stealer log?
A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The logs include browser-saved passwords, session cookies, and stored authentication tokens, and they are sold on underground markets for $10 to $20 per package. The malware that creates them typically infects personal computers through pirated software or malicious browser extensions.
How much does it cost an attacker to compromise a small business?
In the example walkthrough above, the total spend was $14 for stolen credentials and about six hours of work. Costs vary, but the threshold to attempt the kind of attack described in this post sits well below $100.
Are there free tools that would have stopped this attack?
Several of the controls referenced in the walkthrough come bundled with Microsoft 365 Business Premium licenses that businesses in this size range typically already hold. External forwarding restrictions and Defender for Business alerts are configuration changes rather than new purchases. HaveIBeenPwned is a free check available to anyone. Phishing-resistant MFA hardware keys are a small per-user cost compared with the cost of a successful ransomware incident.
Sources and further reading
- CISA: Stop Ransomware Guide — federal guidance on the controls referenced throughout this walkthrough.
- Microsoft Learn: How number matching works in MFA push notifications — Microsoft’s documentation on the default-enabled Authenticator feature that blocks push-bombing attacks.
- HaveIBeenPwned — the free database used to check whether an email address has appeared in known breaches.
- Microsoft Learn: Configure external email forwarding in Microsoft 365 — how to block tenant-level external forwarding rules.
If any of this walkthrough sounded uncomfortably similar to your environment, the three questions above are a good starting point. Your IT provider should be able to confirm what is in place and what is not within an hour or two. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.
—