Here’s something most small business owners don’t want to believe: small businesses are the most common ransomware target by sheer number of incidents. Not hospitals. Not banks. Not Fortune 500 companies making headlines. Small businesses, because the math works out better for attackers at that scale.
A 22-person company has real revenue worth pursuing, no dedicated security staff standing in the way, and a publicly visible footprint that takes about an hour to piece together. That combination is exactly what makes businesses like yours attractive.
What follows is a step-by-step account of how an attack like this actually unfolds, written from the attacker’s perspective. The company in this story is a composite, but every method described reflects how these attacks work today. After the walkthrough, you’ll see five specific moments where the attack could have been stopped, using controls that come bundled in security tools most small businesses are already paying for.
Monday: How I Picked You
I keep regular hours and run a small, focused operation. My target list runs about 40 companies a month, and I prefer businesses between 10 and 50 staff. The reason is simple economics. Large enterprises have security teams, incident response contracts, and lawyers who make any compromise expensive on my end. Sole traders, on the other hand, rarely have enough on the line to be worth the effort. A 22-person commercial services company sits right in the middle: payroll, a customer database, project files, supplier relationships, and an owner who will pay to get it all back. The return per hour is better at this size than at either end of the spectrum.
I didn’t find you through a data breach or an inside tip. I found you on a public business records portal. State business registries, federal contract awards, and county-level licensing databases publish enough detail to identify your company, look up your name, estimate your revenue, and figure out the most useful person inside your organization. One search turned up your company name, your registered agent, the contract value of a recent municipal job, and the named contact on the submission.
The fact that nothing has gone wrong at your company yet is actually the strongest signal I look for. It tells me your login credentials are probably still valid, your staff hasn’t been trained to spot anything suspicious, and nobody has had a reason to change a password recently. A clean record is the first green light.
Tuesday: Building Your Org Chart for Free
I spend about 40 minutes researching your company today, using nothing but a browser.
LinkedIn shows me eight of your current employees with their job titles. Your office manager has been there six years and lists “accounts payable, payroll, and supplier invoicing” right in her profile summary. Your second admin joined 14 months ago. Your own profile is sparse, with a low connection count, which tells me you probably won’t notice if someone starts quietly engaging with your company’s social media.
Public business filings confirm your registered business name and your full legal name. A “meet the team” post from two years ago on your Facebook page lists first names and photos, including someone described as helping out in the office a couple of days a week. One of the commenters shares your surname.
I now know who handles your money, what her name is, how long she’s been there, and what software she probably uses (a quick check of your Indeed job listings confirms you ask for “experience with QuickBooks or Sage”). More importantly, I know who in your business can approve a payment without a second signature.
That person is my primary target. You’re harder to reach and probably more cautious. Your office manager has system access, handles supplier payments, and is busy enough that one more email in her inbox doesn’t get the scrutiny it might otherwise get. I haven’t spent a dollar yet.
Wednesday: I Bought Your Credentials for $14
Stealer logs are packages of usernames and passwords harvested by malware that infected someone’s personal device, sometimes months or years earlier. The malware records everything typed into that machine, bundles the data, and sells it. Marketplaces on private Telegram channels and underground forums let buyers search these packages by company email domain.
I search for your domain. Two results come back. One is your office manager’s work email, with a password that looks like it was saved in her browser. The other is a personal Gmail address that appears to belong to a family member, probably from a device that shared a home network at some point.
I pay $14 for the package. It takes four minutes.
Your office manager’s password follows a pattern I see constantly: a pet or child’s name, a year, and an exclamation mark. I run it through HaveIBeenPwned, the same free tool security professionals use, and find it appeared in a credential dump from a retail loyalty program breach three years ago. The password hasn’t been changed since.
The family member’s credentials are more interesting. The same password, with minor variations, turns up across a streaming service, a gaming account, and your company’s Microsoft 365 login. It works. The only thing between me and the inbox at this point is the second verification step.
Total spend: $14.
Thursday: Getting Past Your MFA
Multi-factor authentication (MFA, the extra verification step beyond your password) stops a lot of attacks. But how it’s set up matters more than whether it’s turned on at all.
The simple approach of bombarding someone with approval requests until they tap “yes” out of frustration doesn’t work against your office manager’s account. Microsoft enabled number matching by default for all Microsoft Authenticator push notifications back in May 2023, which means she’d have to type a specific code from her screen rather than just tap approve. That approach fails here.
What still works is a technique called adversary-in-the-middle phishing. Think of it like a valet who copies your car key while pretending to park your car. I send your office manager an email that looks like a routine Microsoft 365 security alert, referencing the same breach where I found her credentials earlier in the week. The link takes her to a page that mirrors the real Microsoft sign-in screen exactly. That page is a proxy I control.
When she enters her password and approves her MFA prompt, my proxy forwards both to the real Microsoft login server. Microsoft validates everything and issues a session token, essentially a digital “you’re logged in” wristband, back to my proxy. I capture it. She sees a normal login experience and then a “password updated successfully” message.
I’m now signed in as her. Microsoft sees a valid authenticated session and treats everything I do as legitimate.
I also had a backup plan ready. Earlier that day, I called your office posing as your IT support company, using a name I found in a Google review you’d left 18 months earlier. I told your receptionist we were seeing unusual login activity on the office manager’s account and that she’d need to approve a verification prompt shortly. The receptionist said the office manager wasn’t at her desk. I said no problem, I’d try again later. The call cost nothing.
By Thursday night, I’m inside your office manager’s Microsoft 365 account. I set up a hidden inbox rule so her emails copy to an address I control without alerting her, and then I wait.
Friday 2:47 PM: Why I Waited 36 Hours Before Encrypting
I spend 36 hours reading email before I touch anything. That time is how I set the ransom at the right number.
In those 36 hours, I find your cyber insurance policy in an email from your broker, with a liability sub-limit of $250,000. A bank reconciliation your office manager sent you two weeks ago shows your business account sitting around $180,000 at month end. Your customer list is sitting in a quote template she emailed to herself. A message thread with a municipal project manager mentions a job starting in three weeks with a hard deadline you cannot miss.
I set the ransom at $65,000 in cryptocurrency. Low enough that paying beats fighting. High enough to be worth my time. Well within what I know you can access. Ransoms set above 10 percent of visible liquid assets tend to get contested, so I stay below that line.
I deploy the encryption at 2:47 PM on Friday. The timing is deliberate. Your bookkeeper finishes at 3 PM on Fridays, which I know from an out-of-office reply I saw in the forwarded emails. You’re on a job site, with your calendar synced to the shared inbox. The person most likely to notice something wrong is already gone, and the person with the authority to make decisions is unreachable.
By Friday evening, every file on your shared drive is encrypted. A ransom note sits on every screen in your office. It’s the kind of Friday afternoon that makes New Orleans traffic feel like a minor inconvenience by comparison.
Total cost to me: $14 in credentials and about six hours of work spread across the week.
Five Places This Attack Would Have Died
This attack worked because five ordinary things weren’t in place. None of them are expensive. Most come bundled in tools you’re probably already paying for.
1. The credential purchase on Wednesday.
HaveIBeenPwned is free and available to anyone. Microsoft Entra password protection can detect and block reused or commonly compromised passwords across your accounts. Enforcing unique passwords through a password manager and through Entra’s built-in policies makes a $14 credential purchase worthless to me before I even try to use it.
2. The MFA bypass on Thursday night.
Microsoft already blocks the simpler push-bombing approach because number matching has been on by default since May 2023. The current bypass that actually works is the proxy-style phishing attack described above. Stopping it requires phishing-resistant MFA (physical security keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a trusted device, and anti-phishing protection in Microsoft Defender for Office 365. Any one of those would have either blocked the session capture or made the captured token useless from my location.
3. The hidden inbox forwarding rule.
Microsoft 365 lets administrators block external email forwarding rules at the account level. With that setting enabled, the rule I used to read 36 hours of your email simply wouldn’t have worked. I might have encrypted the files anyway, but I’d have been guessing on the ransom amount.
4. The 36-hour window where nobody noticed.
Microsoft Defender for Business, which is included in Microsoft 365 Business Premium, generates an alert when a new inbox forwarding rule gets created. If anyone had been watching those alerts, or if they’d been routed somewhere visible, I’d have been detected Thursday night. The most impactful change for a business your size is usually not a new product purchase. It’s making sure someone is actually reviewing the alerts your existing tools are already generating.
5. The public-facing staff information.
You can’t unpublish a state contracting registry or a federal contract award. That data stays public. What you can control is what your team posts about their specific day-to-day responsibilities. Your office manager’s LinkedIn profile listed her financial duties in enough detail to make her the obvious target. That’s worth a straightforward conversation with your team, framed as practical security awareness rather than a policy about what people can post.
Three Questions to Send Your IT Provider
These three questions cover most of where this attack succeeded. Each one maps to a control that comes bundled with security tools you most likely already pay for. If your IT provider can’t answer them clearly and quickly, that’s useful information too.
Are we using phishing-resistant MFA (physical security keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins?
Is external email forwarding blocked at the account level?
Are our security alerts going somewhere, and is someone actually reviewing them?
Article FAQs
Do hackers target small businesses?
Yes, consistently. Most ransomware operations target small and mid-sized businesses because the ratio of payout potential to defensive resources is better than at either end of the size spectrum. The preferred range is roughly 10 to 50 staff, where there are assets worth encrypting but no dedicated security team to push back.
What is adversary-in-the-middle phishing?
It’s an attack where the criminal hosts a fake login page that mirrors a real one, such as Microsoft 365 or Google Workspace. When the user enters their credentials and approves the MFA prompt, the fake page captures the resulting session token (the digital “you’re logged in” credential) and passes it to the attacker’s browser. The real service sees a successful login. The attacker is now inside. This technique became the dominant credential-based attack against Microsoft 365 after number matching ended simpler push-bombing attacks.
What is a stealer log?
A stealer log is a package of credentials harvested by malware from an infected personal device. The malware records browser-saved passwords, active session cookies, and stored authentication tokens, then bundles everything for sale on underground markets, typically for $10 to $20 per package. The malware usually gets onto personal computers through pirated software or malicious browser extensions.
How much does it cost an attacker to compromise a small business?
In the walkthrough above, the total spend was $14 for stolen credentials and roughly six hours of work spread across a week. Costs vary, but the barrier to attempting an attack like this sits well below $100. That’s the uncomfortable reality of how accessible these attacks have become.
Are there free tools that would have stopped this attack?
Several of the controls in the walkthrough come bundled with Microsoft 365 Business Premium licenses that businesses in this size range typically already hold. Blocking external forwarding and enabling Defender for Business alerts are configuration changes, not new purchases. HaveIBeenPwned is free. Phishing-resistant MFA hardware keys carry a small per-user cost that looks very different next to the average ransomware payout.
If you’re a small or mid-sized business in the Greater New Orleans area and you’re not sure whether these controls are actually turned on in your environment, that’s exactly the kind of question Bourn Technology can answer for you. We work with professional services firms across New Orleans to make sure the security tools you’re already paying for are properly configured and actively monitored, before an attacker has a chance to find the gaps. Reach us at (504) 262-1234 or hello@go.bourntech.com to start the conversation.