Insights

The Challenge

When a critical ProxyLogon vulnerability affected on-premises Microsoft Exchange servers, a large UK-based manufacturing business experienced the full impact of a major breach. Their Exchange server was exploited, allowing a threat actor to gain access, deploy malware, and significantly disrupt operations. The compromise forced a shutdown of key systems, for three months, resulting in reduced production and an estimated £500,000 in lost revenue.

The customer’s earlier security setup lacked real-time monitoring and incident response capability. By the time the breach was discovered, the damage was done. With production lines down, customer communication severely affected and the risk of compliance penalties, the business knew they needed to act.

The Response

Following this incident, the customer uplifted their Microsoft licensing to Microsoft 365 Business Premium and onboarded into Chorus Cyber’s Managed Detection and Response (MDR) service, and then eventually the full MXDR service covering their whole environment

Delivered in partnership with their established MSP, the MXDR service includes proactive 24/7 threat detection, automated response, and strategic threat intelligence, all provided by a dedicated Security Operations Centre (CSOC).

Chorus Cyber is a Microsoft Solutions Partner for Security, a MXDR Verified member of the Microsoft Intelligent Security Association (MISA) and holds multiple Microsoft security advanced specialisations; assuring clients of technical excellence and deep Microsoft security expertise.

Shortly after onboarding, a similar threat resurfaced for the manufacturing company – another attempted compromise of the Exchange server, just hours after the vulnerability was announced. Combining this brand-new opportunity along with the company being weak to this type of attack in the past, this had the potential to be the worst-case scenario.

However, this time, the story was vastly different…

• At 11:56 AM, the Chorus Cyber CSOC detected a webshell on the server.
• Within minutes the Exchange server was isolated to prevent lateral movement
• Malware artefacts were identified, analysed, and removed
• The CSOC worked directly with the MSP to coordinate patching and recovery
• Mail flow was restored by 4:41 PM – meaning the entire incident, from detection to full recovery, was handled in just a few hours, with only one hour of actual email disruption.

The Outcome

The difference between the two incidents couldn’t be clearer. The first breach caused months of disruption and huge financial losses. The second, with a modern Microsoft powered MXDR service in place, was resolved in under an hour – with no lateral movement, no data loss and no wider operational impact.

The customer was able to continue operations without interruption, highlighting the immediate return on investment of the Chorus Cyber MXDR service. What once took months to detect and recover from was now neutralised in near real time.

Beyond the initial incident response itself, Chorus Cyber provided strategic guidance and support. This included recommend decommissioning of the vulnerable Exchange server and a migration to Microsoft 365 to reduce long-term risk and comply with increasingly complex industry legislation.

Why It Worked

• 24/7 Monitoring and Response: The Chorus Cyber CSOC was able to identify and respond in real time, including during daytime hours when many threats are missed due to human delay
• Tight Integration with the MSP: Coordination between Chorus Cyber and the MSP enabled a smooth patching and recovery process
• Proactive Threat Hunting: Continuous monitoring meant that even sophisticated attempts were spotted early
• Strategic Security Advice: Beyond the fix, Chorus Cyber guided the customer on how to reduce future risk and prevent similar attacks in future