Petra Security

Stop Attacks Before Damage

Automated toolkits inflict damage within minutes of access. The challenge has shifted from simply catching attacks to stopping them before damage is inflicted.

Ed Torgas·July 13, 2026

Contrary to popular belief, it only takes a few minutes in an account for an attacker to wreak havoc. We frequently see attackers reading sensitive emails, sending fraudulent invoices, and setting up malicious inbox rules within minutes of accessing the account.

Prior to the AI era, attacks were much slower, as the attacker needed to manually log in, poke around, and figure out what they could do. Back then, ITDR performance could reasonably be measured by "did you catch this attack?"

Now, as attackers speed up, you need to both catch attacks and stop them quickly, before damage is inflicted.

Case 1: Catching before the send

In this incident, which targeted a nonprofit, Petra was monitoring the account, but automated response was disabled. So we can see when Petra would have stopped it, and what happened after alerting but before manual remediation actions were taken.

Petra activity log — Case 1: a successful login at 08:22, Microsoft's log published at 08:27, Petra flagging the attacker at 08:28 (64 seconds later), and the fraudulent email sent at 08:32.

At 8:21am, the attacker logged in successfully. The Microsoft log was published 4.5 minutes later, and Petra detected the attack just 64 seconds after the log was published. At that point, an inbox rule had been set up, but, notably, no fraudulent emails had been sent out.

Four minutes after Petra's detection, the fraudulent email was sent, sending false payroll information to a coworker. Only ten minutes elapsed between the initial login and the email. If you remediated this incident 16 minutes after login, or even 5.5 minutes after the logs were published, you would be too late. The damage is already done.

Case 2: Automation speeds up attackers.

Let's take a look at an automated, fast attack on a small HVAC company. We uncovered this attack, which occurred prior to Petra, while scanning a new tenant.

The attack was driven by a classic AitM toolkit, and within the first 60 seconds the IP address automatically rotated through multiple hosted/proxy IPs.

Petra activity log — Case 2: the AitM toolkit's logins rotating across data-center IPs (global internet solutions, clouvider, logicweb) within seconds.

Now that the toolkit had access, it searched for sensitive emails and sent out a fraudulent email within 14 minutes of accessing the account.

Petra activity log — Case 2: the fraudulent email sent, immediately followed by two inbox rules created to conceal it.

Within 15 minutes, it had added inbox rules to conceal the email and then deleted it from the account. If the attack was flagged only when the inbox rule was created, it would have caught it after reputational damage occurred.

All in all, in just the first 15 minutes, the attacker sent a malicious email, deleted three emails to cover his tracks, and read 139 others.

Enabled by automation, attackers are speeding up. As AI adoption grows, it will only become more important to catch attackers and stop them as quickly as possible.

Takeaway: Responding within 3-5 minutes after initial access has become the difference between an incident report and a stopped attack.

The question is quickly shifting from "Did you catch the attack?" to "Did you catch the attack before the damage was done?"

And these days, the damage happens in just a few minutes.

If your identity security tool isn't catching these attacks in seconds, it may be too late. If you're defending Microsoft environments, try Petra today.

See what's in your last six months of logs.

Get insurance-grade forensics on the last 6 months of your M365 logs. Setup takes 5 minutes with results in 48 hours.