Sophisticated phishing campaign targeting vendor IT admin. Attackers used lookalike domain and captured VPN credentials through reverse proxy.

Behavioral AI identified anomalous login patterns: vendor account accessing from new geolocation at unusual hours with slight timing variations suggesting automated tools.

Slow, methodical network exploration using valid credentials. Attackers paced activities to stay under detection thresholds, scanning only a few subnets per day.

Identified subtle pattern: reconnaissance queries always preceded by 3-4 "decoy" legitimate-looking requests. This behavioral signature is invisible to rule-based systems.

Created encrypted archives in temporary folders, naming them to blend in with legitimate system files. Used file timestamps from existing files to avoid detection.

Behavioral anomaly: temp folder encryption operations followed by extended periods of inactivity—pattern matching "hoarding" behavior before exfiltration.

DNS tunneling with data rates carefully tuned to blend with legitimate DNS traffic. Encoded payloads as DNS TXT records. Varied exfiltration rate based on time of day.

Machine learning model detected statistical anomalies in DNS query patterns: entropy distribution of domain names, request timing correlations with temp folder activity, and base64-encoded payloads in TXT responses.

Attacker maintains persistent access through scheduled tasks and registry run keys. Continues to explore new repositories, currently targeting R&D documentation archives.

1. Revoke all vendor credentials immediately
2. Isolate affected systems from network
3. Forensic imaging of temp directories
4. Implement DNS monitoring with Foxhole sensors
5. Review and rotate all privileged credentials