12 Minutes to Containment: How an MDR SOC Caught a 2026 Ransomware Staging Attack Before Encryption Started
Cybool Security Team
Threat Intelligence
Ransomware attacks no longer announce themselves with a splash screen. By 2026, the typical attack chain runs for 4–11 days between initial access and encryption. The encryption is the loud part. Everything before it is quiet — and everything before it is where containment is still possible.
This is the timeline of one such attack, contained on a Tuesday morning in March 2026 in a Cybool-monitored environment. Identifying details are anonymized; technical detail is preserved.
The Environment
A 180-person manufacturing services company in Central America. Mixed Windows 11 and Windows Server 2022 environment, Microsoft 365 for productivity, on-premises file and ERP servers, EDR deployed on all endpoints, log forwarding to Cybool’s SOC for continuous monitoring. The customer subscribes to standard 24/7 MDR coverage.
Day -7: The Quiet Beginning
A finance department user receives a phishing email impersonating a known supplier. The email contains an HTML attachment that, when opened, presents a fake Microsoft 365 login page. The user types her real password.
The attacker logs into her Microsoft 365 account from a Czech IP address. Cybool’s SOC sees the geolocation anomaly and triggers a low-severity alert; the analyst on shift requires the user to reset her password and enables conditional access requiring MFA from new locations. The phishing campaign is documented and the email pattern is blocked at the gateway. From the SOC’s perspective, this is a routine credential theft, neutralized.
What the SOC does not see at this stage: the attacker had already exported the user’s OneDrive contents during the 90-minute access window. Among those documents was a network diagram referencing the company’s VPN appliance.
Day -5 to Day -1: Reconnaissance
Over the next five days, the attacker — now believed to be an affiliate of a LockBit-successor group — quietly enumerates the company’s public attack surface. They identify the VPN appliance, confirm its vendor and approximate version, and identify three employees with elevated access by cross-referencing LinkedIn profiles against the network diagram.
A second phishing wave goes out, this time hyper-targeted at the three employees. One of them — an IT administrator with VPN access — opens a Microsoft Teams link in what appears to be a vendor support ticket. The link uses an OAuth consent flow to grant the attacker persistent access to his account.
The OAuth consent is unusual but not impossible. Cybool’s SOC sees the event in the Microsoft 365 audit log but rates it medium-severity because the consent was granted to an app that, on first inspection, appeared to be a known Teams integration. A ticket is opened for review the following morning.
Day 0, 02:31: VPN Connection
At 02:31 local time, the attacker connects to the company’s VPN using the IT administrator’s credentials and an MFA bypass technique. The VPN logs the connection. The administrator is asleep.
Cybool’s SOC monitoring sees a VPN login at an unusual hour for that user. The behavioral baseline for this account shows VPN logins between 07:00 and 19:00 on weekdays. The 02:31 timing breaks the pattern.
The on-shift analyst — based in Cybool’s Tel Aviv SOC, where it is 09:31 — opens the session, reviews the source IP (a residential proxy in Eastern Europe), and elevates the alert to high severity. She does not yet have grounds to disconnect the session; this could be a legitimate administrator working late. She requests an out-of-band verification.
Day 0, 02:35–02:46: Reconnaissance Inside
Between 02:35 and 02:46, the attacker runs reconnaissance commands inside the network. They enumerate Active Directory using net group and Get-ADUser. They check for backup software, antivirus exclusions, and unusual file shares. They map the network topology.
Each of these commands generates events in Cybool’s SIEM. Individually, they are not alarming — sysadmins run these commands. In sequence, they form a textbook pre-encryption reconnaissance pattern.
The SOC’s correlation rules trigger an automatic case escalation. A senior analyst joins the investigation.
Day 0, 02:47: The Anomalous PowerShell Command
At 02:47, the attacker executes a single PowerShell command that disables Windows Defender real-time protection and adds the user’s temp directory to the AV exclusion list. This is the canonical pre-staging move for ransomware deployment.
This event triggers an automated containment workflow:
- The EDR agent isolates the IT administrator’s endpoint from the network
- The VPN session is force-terminated
- The IT administrator’s account is disabled across Microsoft 365 and Active Directory
- Conditional access policies block any new authentication attempts from the user
- An emergency call goes to the customer’s named technical contact
Day 0, 02:59: Customer Engaged, Containment Verified
By 02:59, the customer’s CISO is on the phone with the Cybool senior analyst. The SOC walks her through the timeline. Containment is verified — no further attacker activity is observed. The forensic preservation workflow begins.
Elapsed time from first containment-eligible signal (02:47) to verified containment (02:59): 12 minutes.
No files were encrypted. No data was exfiltrated during the active intrusion (though OneDrive data was exfiltrated 5 days earlier, on Day -7). The estimated direct cost of the incident — forensic investigation, password resets, conditional-access tuning, OneDrive review — was approximately USD 18,000.
A successful encryption event in this environment, based on industry averages, would have cost between USD 1.8 million and 4.5 million when factoring downtime, ransom negotiation, forensic remediation, and regulatory disclosure.
The Three Things That Made the 12 Minutes Possible
In the post-incident review, three factors were identified as decisive:
1. Behavioral baselining, not signature matching. The 02:31 VPN alert fired because of a deviation from the user’s normal pattern, not because of a known-bad signature. The attacker’s technique was not novel; what gave the SOC its first lead was the timing anomaly.
2. Correlation across data sources. No single event was alarming. The VPN login, the AD enumeration, the PowerShell execution, the AV-tampering command — each in isolation has plausible legitimate explanations. The SOC’s ability to correlate them as a chain was what triggered escalation.
3. Pre-authorized containment actions. The customer had previously agreed that Cybool could automatically isolate endpoints and disable accounts in response to specific high-confidence triggers, without waiting for customer approval. That authorization saved an estimated 25–40 minutes of decision delay — a period during which the attacker would have deployed the ransomware payload.
The Day -7 Lesson
The most uncomfortable finding in the post-incident review was Day -7. The original credential-theft event was correctly detected and routinely neutralized, but the SOC did not investigate what the attacker had done with the credentials during the 90-minute access window before the password was changed. That OneDrive data export was the foothold the attacker used to plan the Day 0 intrusion.
In response, Cybool updated its routine credential-theft playbook: any confirmed account compromise now triggers a full review of the affected user’s OneDrive, SharePoint, and email activity during the compromise window, and an enumeration of any OAuth tokens granted to third-party applications during or after the event. This is now the default for every customer.
The 12 minutes from PowerShell command to containment is the headline. The improvement from Day -7 — that you cannot count a credential compromise as fully neutralized until you have audited the access — is the actually transferable lesson.
Cybool’s 24/7 MDR service combines behavioral detection, multi-source correlation, and pre-authorized containment to compress incident timelines from hours to minutes. Request a demo or book a free cyber risk assessment.
