How M Cubed Stopped 7 Attackers Missed By Huntress ITDR

M Cubed prides itself on being the trusted IT partner for businesses from the Heartland all the way to California. M Cubed focuses on proactively managing client infrastructure 24/7/365 so that they can run as smoothly and efficiently as possible. M Cubed believes most IT problems (including BECs) are avoidable, so why wait for failure?

To get best-in-class cyber services (including Petra) from a world-class MSP with excellent support, visit https://www.mcubedtechnologies.com/ or email info@mcubedtechnologies.com.

‍

Challenge

Pre-Petra

M Cubed is no stranger to dealing with M365 attacks.

“We were seeing our clients get, just, hammered by attacks”, says David, CTO at M Cubed Technologies. “And 365 attacks have gone up like crazy. These days, I would say 20% [of attacks] are EDR, 80% [of attacks] are 365. ”

Pre-Petra, M Cubed’s prior ITDR was Huntress ITDR, which they had deployed to all clients.

“We’re huge Huntress fanboys. Still are.”

“But we love great tech. It’s what we do. And so when we got the demo [at a conference in late 2025], I came back and I was pretty ecstatic about it”, says David.

“I brought it back to my guys, and Brian [on the M Cubed team] did a lot of digging himself. Then he came back to me and was like ‘okay, alright, this thing is pretty awesome’.”

‍

Challenge

Evaluating Petra

“I think on the first night, we threw some clients on there. We chose the clients who typically always get hammered with alerts, right?”, says David.

“Immediately that night, Brian shot me an email that said: ‘look at this report!’. I saw it and I said, ‘oh man’, you know what I mean?”

Petra found 7 currently lurking attackers across 7 different clients. All of these clients were being actively monitored by Huntress ITDR at the time. Using Petra, M Cubed was able to shut down all 7 attacks for their clients that evening. 

Then, David spun up Petra Autopsy, a 24-hour forensic investigation tool, to examine 19 compromises where the Huntress ITDR had been monitoring, and pull out new forensic details.

‍

Here’s what Autopsy uncovered across 19 compromises:

• Huntress ITDR caught attack 4 months and 4 days late. Attacker accessed 23,363 emails and sent 49 malicious invoices.
• Huntress ITDR caught attack 3 months and 1 day late. Attacker accessed 694 emails and sent at least 9 malicious RFQs.
• Huntress ITDR caught attack 1 month and 26 days late. Attacker accessed 1,082 emails and 3 documents and sent 798 malicious invoice requests.
• Huntress ITDR caught attack 1 month and 10 days late. Attacker sent at least 105 malicious invoices.
• Huntress ITDR caught attack 1 month and 1 day late. Attacker accessed 59 emails.
• Huntress ITDR caught attack 1 month and 2 days late.
• Huntress ITDR caught attack 13 days and 23 hours late. Attacker accessed 2,324 emails.
• Huntress ITDR caught attack 4 days and 22 hours late. Attacker accessed 124 emails.
• Huntress ITDR caught attack 1 day and 21 hours late. Attacker accessed 373 emails and sent 2 malicious invoices.
• Huntress ITDR caught attack 18 hours late. Attacker sent at least 146 malicious invoices.
• Huntress ITDR caught attack 3 hours and 33 minutes late. Attacker accessed 185 emails and sent at least 18 malicious emails.
• Huntress ITDR caught attack 30 minutes late. Attacker accessed 57 emails.
• Live attacker, not caught by Huntress ITDR, active for 3 months and 1 day, accessed 10,713 emails, sent a malicious email.
• Live attacker, not caught by Huntress ITDR, active for 3 months and 21 days, accessed 172 emails.
• Live attacker, not caught by Huntress ITDR, active for 4 months and 10 days, accessed 1,178 emails.
• Live attacker, not caught by Huntress ITDR, active for 2 months and 3 days.
• Live attacker, not caught by Huntress ITDR, active for 5 months and 6 days, accessed at least 27 emails (during 6-month forensic window).
• Live attacker, not caught by Huntress ITDR, active for 21 days and 22 hours.
• Live attacker, not caught by Huntress ITDR, active for 2 months and 15 days.

‍

By the numbers:

• The 12 cases that Huntress ITDR had caught, Petra Autopsy discovered were caught on average 32.9 days late.
• The 7 cases that Huntress ITDR missed, where the attacker was still active, the attacker was lurking on average 92.6 days.
• Across all cases, 3,104 emails on average were accessed by attackers due to late response.
• Across all cases, 42.1% of attackers sent malicious emails (fraudulent invoices, fraudulent invoice requests, malicious RFQs) from compromised accounts due to late response. 

‍

“I was like, ‘holy crap’. You know what I mean? That’s what I’m talking about right there.”

Results

With Petra, 51-second response & instant forensics

Since that time, M Cubed has switched to Petra.

Petra has already stopped 3 real-time attacks for M Cubed (in addition to the 7 discovered and stopped currently lurking attackers), an average of 51 seconds after logs are published by Microsoft.

“It’s just, crazy fast, especially when you see what was happening before”, says David. 

“I think a lot of people are in the same position that we were––they just don’t know what’s really happening until all the forensic analysis is done. We’d thought [attacks] were being caught fast, but we had a rude awakening, and now we know what fast really looks like. Now we get to pass that huge speed [increase] along to our clients.”

‍

What’s surprising? The forensic depth.

We asked M Cubed: what’s been most surprising since turning on Petra?

Brian says: “For me, it’s just the fact that it finds all this stuff, you know? All this attacker activity from past compromises, just after turning it on. 

“Because like David’s saying, we were with Huntress and had their ITDR add-on, and it’s like ‘hey, we saw something’. But I’m there thinking: where did it come from? How did it happen? Who clicked what? What did the attacker do? Petra shows all of that. The detail level on [Petra] has been really good––even on past attacks. That was surprising to me.”

‍

With Petra, saving hours of painstaking work for high-compliance clients

David laughs, then adds: “I’m glad to share this one, because your software saved me so many hours of work. We have a large client that’s a financial firm, and they’re very stringent when it comes to compromises. So whenever something happens, they usually say, ’David, I want to know what happened, who did it, what they clicked on, what was accessed’––and it’s been a pain for us. You feel my pain, right? I have to go through Purview, I have to try to find some sort of way to explain to them what happened. They’re not the type to say ‘just tell me you took care of it’, no, they want all the little details. And I get why.”

“This right here [Petra] just saved me so many hours.”

“Then on another client, automotive dealership, they asked us ‘hey, this phish, can you dig into everyone’s mailbox and remove it? And do a sweep just to be safe’. Before Petra, I had to go find the PowerShell script, connect to 365, start digging through Purview, make sure it runs, re-check it… But with Petra, it was one click. This stuff is easy.”

“Our time is better spent elsewhere, right? There are so many better ways we could be helping [clients]. This saves us so much time, because we can just copy, paste, download, and say ‘here you go’, and that’s it. 

“That detail and clarity, literally delivered instantly, is a huge benefit our clients get that no other MSP on these old ITDRs gets.”

‍

Takeaways

We asked M Cubed what it was like to switch from Huntress ITDR, even when they’re big fans of the vendor for their EDR software.

“When we decided to go Petra, I got an email from our Huntress account manager saying, you know, ‘I really want to save this relationship and I don't understand how their product can be so much better’. And I said, ‘look, let's talk, but I will tell you, you had access to this client for over a year, and within 24 hours, Petra found that there was an attacker in this account––I’m talking about that has been compromised for almost a month––and I said, ‘your system couldn't find it’. Then that happened 6 more times. I said, ‘I’m not saying you guys suck. I’m still with you, I like your EDR, right?’ I said, ‘I’m still with you, man. But it's just, I think you guys are a little behind when it comes to the ITDR portion. That's it. That's what I told them.’ I said, ‘I’m just being real honest with you. They blew you guys out of the water. 24 hours, they caught attacks you missed for a month, they blew you out of the water. It is what it is, man.’ 

“At the end of the day, our clients stick with us because they know we’re on top of it. We’re going to do what needs to be done and stay up to date with attacks. Now with Petra, we get to help folks do that [M365 protection] a whole lot better than they get with most MSPs.”

Asked about what he’d say to clients interested in Petra, David says “I’d say, ‘Come on [to M Cubed], let’s get you set up with an Autopsy. I bet you’ll be as surprised as we were to find what’s really going on [with your M365 attacks]. I think you’ll fall in love with the tool, too. I really do.’”

‍

–

‍

M Cubed prides itself on being the trusted IT partner for businesses from the Heartland all the way to California. M Cubed focuses on proactively managing client  infrastructure 24/7/365 so that they can run as smoothly and efficiently as possible. M Cubed believes most IT problems (including BECs) are avoidable, so why wait for failure?

To get best-in-class cyber services (including Petra) from a world-class MSP with excellent support, visit https://www.mcubedtechnologies.com/ or email info@mcubedtechnologies.com.

‍