How Always Beyond Caught a 6-Month Residential Proxy Attack Their Prior ITDR Missed

The Initial Challenge

Always Beyond came to Petra looking for more complete M365 protection that didn't require ongoing manual upkeep.

Julian Gelfand, COO and co-founder of Always Beyond, identified Microsoft Teams external-messaging attacks as a category their existing ITDR provider, Huntress, could not address without ongoing manual work.

Microsoft Teams has become a significant attack vector, and bypasses most security tools. Julian’s team could protect against these attacks through Huntress, but only by maintaining a whitelist of approved external users. At their size, the manual upkeep had become an operational burden. 

The biggest selling point for us was Petra's ability to protect against external users in Teams. Huntress can do it too, but you have to go through the same process we use with our other security tools maintaining a whitelist. With Petra, we don't have to do any of that. There's built-in protection, and that's what we want to take advantage of more than anything else. -Julian Gelfand, COO and Founder, Always Beyond Corp

The Bigger Win: Superior Detection

Petra immediately surfaced a 6-month residential proxy compromise that had gone undetected by their existing ITDR.

Always Beyond deployed Petra to their client base in a single rollout session. Within hours, Petra surfaced a latent compromise at one of their clients. The attacker had successfully compromised the account through a residential proxy and been inside the account for six months.

The compromise started with an adversary-in-the-middle phishing attack. Over the four months following the initial compromise, the attacker conducted multiple waves of malicious activity from the account:

• In November, the attacker sent outbound emails from the account.
• In December, the attacker uploaded a phishing file to the user's SharePoint and shared it externally with several recipients.
• Between January and February, the attacker ran invoice-fraud campaigns from the user's mailbox.

Because the user's password had not been reset since before the initial compromise, the attacker still had full access to the account.

Catching Residential Proxy Attacks

Petra's residential proxy detection finds the pattern across the session, not the IP in isolation.

Most ITDR detection models check individual logins for IP reputation and impossible-travel patterns. Using that approach, nothing about this attack looked wrong. Every IP the attacker used was a legitimate Canadian residential broadband connection, and the activity was paced slowly enough across weeks such that no velocity-based detection ever fired.

The pattern only surfaces when you look at the user's behavior over time, not at any single login in isolation. With Petra’s detection model, the attacker’s full session history is compared to normal activity for that account, making these modern attacks visible even when every individual login appears legitimate.

Turning on Petra Response

Always Beyond turned on automatic remediation across every client tenant to increase response times and reduce operational burden.

Within days of completing the rollout, Always Beyond enabled automatic remediation across every tenant in their book of business. Now, when Petra detects an account compromise, the affected accounts are locked, active sessions are revoked, and any malicious activity by the attacker is cleaned up immediately, limiting damage from the attack and allowing Always Beyond’s team to focus on other high-value work.

–

‍

Always Beyond delivers all-inclusive managed services to small and mid-sized businesses across Western Canada, covering everything from day-to-day IT support to cybersecurity, cloud, and technology strategy. To get best-in-class M365 identity protection through a world-class MSP, visit alwaysbeyond.com.