Skip to the main content.
TALK TO AN EXPERT
Facebook Instagram Linkedin X YouTube Medium

Information Security Compliance

Add security and compliance to Microsoft 365

BI Reporting Dashboards

Realtime pipeline insights to grow and refine your learning operation

Mortgage BI®

Integrations for Banks & Credit Unions

Connect LOS, core platforms, and servicing system

MortgageExchange®

Productivity Applications

Deploy customized desktop layouts for maximum efficiency

SMART Email Signatures

App Pilot®

Virtual Desktops

Server Hosting in Microsoft Azure

Protect your client and company data with BankGrade Security

PointCentral Private Server Hosting

4 min read

The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder

Justin Kirsch : Jun 2, 2025 8:45:00 AM

cybersecurity data breach Mortgage Cybersecurity
The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder
The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder
3:54

BEC attacks cost U.S. businesses $2.8 billion in 2024, according to the FBI's Internet Crime Complaint Center. In Q2 2025, the average wire transfer BEC attack requested $83,099, a 97% increase from the prior quarter. Financial institutions were the most-targeted sector, accounting for 18.3% of all phishing attacks. For mortgage companies processing six-figure wire transfers daily, these aren't abstract numbers.

Three weeks had passed since Chad clicked that link.

The suspicious invoice had been flagged. CYA Finance's IT team followed their standard incident response protocol. They revoked Chad's credentials. They reset passwords across key systems. They ran a security review and filed a report. The language was familiar: "phishing incident," "credential compromise," "recommend further employee training."

Everyone breathed a sigh of relief. Systems were running. Emails were flowing. Business carried on.

But the attacker had never left.

Buried Deep

NullGhost knew the playbook. They were counting on it.

Before the first help desk ticket was opened, NullGhost had planted a custom script on a forgotten file server. It was disguised to look like part of the routine backup process. It ran quietly in the background. It blended in with scheduled jobs.

The script didn't collect data. Not yet. It just kept the door open.

After Chad's account was deactivated and the "immediate threat" was neutralized, NullGhost still had access. That single overlooked script acted as a beacon. It pinged out at regular intervals, waiting for the all-clear.

When everyone moved on, NullGhost resumed operations.

The Real Heist

With access restored, NullGhost launched the second phase.

They didn't smash and grab. They exfiltrated data slowly. Client records. Financial spreadsheets. Email archives. Each batch was encrypted and sent off-site in small packets disguised as system telemetry or cloud sync activity. Every transfer flew under the radar. No alerts triggered. Nothing looked unusual.

Then came the kill shot.

NullGhost identified a routine vendor payment scheduled for the following week. Using their access to internal communications, they altered the payment instructions just enough to redirect funds to a lookalike bank account under their control.

Nobody noticed. Not until the money was gone.

By the time CYA Finance discovered the discrepancy, the six-figure wire transfer had cleared, moved through a cryptocurrency tumbler, and vanished across three jurisdictions.

The Last Clue

Weeks later, a forensic audit uncovered a single strange DNS query originating from a machine with no known user login. The query matched a hostname tied to the original proxy phishing site NullGhost had used.

Whether it was a mistake or a deliberate taunt, nobody could say.

The message was clear: Chad's click was never the breach. It was just the invitation.

What CYA Finance Got Wrong

CYA Finance followed a standard incident response playbook. Reset credentials. Run a scan. File a report. Move on. That playbook works for commodity threats. It doesn't work for persistent attackers who plan their access in layers.

Here's what a proper response would have included:

  • Forensic threat hunting: Credential resets don't remove persistence mechanisms. A threat hunter examines scheduled tasks, startup scripts, registry entries, and DNS logs for signs of ongoing access. Microsoft Defender for Identity surfaces these anomalies automatically, but only if it's deployed and monitored.
  • Network traffic analysis: NullGhost's data exfiltration looked like normal traffic because nobody was watching for it. Microsoft Sentinel correlates network telemetry with identity events and endpoint behavior. A slow trickle of encrypted data to an unknown domain would have triggered a detection rule.
  • Payment verification controls: The wire fraud succeeded because payment instructions were changed through a compromised email channel. Out-of-band verification, confirming payment changes through a separate channel like a phone call to a known number, would have caught the redirection.

Lessons from the Shadows

  • A clean incident report doesn't mean a clean environment. Persistent threats survive credential resets.
  • Attackers rely on time, silence, and your false sense of closure. The gap between "incident resolved" and "attacker evicted" is where the real damage happens.
  • True remediation requires forensic visibility and continuous threat hunting, not just a one-time scan.

CYA Finance paid over $15 million in direct financial costs, legal fees, and regulatory fines. They lost 75% of their customers. Every one of them said the same thing: "We can't trust you with our data."

The breach didn't end with the incident report. It ended only when CYA Finance brought in outside experts with the tools and talent to find the ghost hiding in the machine. By then, the damage was done.

What Mortgage Companies Should Do Now

Financial institutions are prime targets for exactly this type of attack. The APWG recorded over 1.1 million phishing attacks in Q2 2025 alone. Wire transfer BEC attacks increased 27% quarter over quarter. And 70% of BEC attacks launch from free webmail accounts, making sender verification critical.

Mortgage Workspace deploys Guardian MxDR, which pairs Microsoft Defender, Sentinel, and Secure Score with 24/7 human monitoring. Persistent threats get hunted, not just flagged. Wire fraud controls, identity monitoring, and forensic response capabilities come standard.

Serving 750+ financial institutions, Access Business Technologies configures these protections specifically for mortgage operations. No third-party MSP platforms. Pure Microsoft stack. Zero supply chain exposure from tools like ConnectWise or Kaseya that keep getting breached.

Talk to a mortgage IT specialist about continuous threat monitoring for your environment.

Related Articles

FAQ

How do persistent cyber threats survive standard incident response in mortgage companies?

Standard incident response resets credentials and runs antivirus scans. Persistent attackers plant backdoors in scheduled tasks, startup scripts, and forgotten servers before the response begins. These persistence mechanisms survive password resets and basic scans. Detecting them requires forensic threat hunting, DNS log analysis, and behavioral monitoring through tools like Microsoft Defender for Identity and Sentinel.

What is BEC wire fraud and why are mortgage companies targeted?

Business Email Compromise wire fraud involves an attacker impersonating a trusted party to redirect payment instructions. Mortgage companies handle six-figure wire transfers daily, making them high-value targets. BEC attacks cost U.S. businesses $2.8 billion in 2024. The average wire transfer BEC request reached $83,099 in Q2 2025, and financial institutions were the most-targeted sector for phishing attacks.

How does Microsoft Sentinel detect data exfiltration like the NullGhost attack?

Microsoft Sentinel correlates network telemetry, identity events, and endpoint behavior across your entire environment. It detects patterns like encrypted data flowing to unknown domains in small bursts, DNS queries to suspicious hostnames, and service accounts accessing resources outside normal hours. Custom detection rules specific to mortgage operations flag these anomalies for your security team in real time.

What payment verification controls prevent wire fraud in mortgage transactions?

Out-of-band verification is the primary defense. When payment instructions change, confirm the change through a separate channel, such as a phone call to a known number, not the number in the email. Dual authorization for transfers above a threshold, callback verification for new payees, and real-time alerts for payment instruction modifications all reduce wire fraud exposure. These controls work alongside Microsoft Defender and Sentinel monitoring.
The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap

The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap

Justin Kirsch : May 26, 2025 2:30:00 PM

In this article: The Live Proxy: More Than Stolen Credentials Inside the Perimeter: Surgical Precision No Alarms, No Alerts Protecting Your Digital...

cybersecurity data breach Mortgage Cybersecurity
Read More
The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows

The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows

Justin Kirsch : May 12, 2025 12:15:00 PM

In this article: The Setup: How Breaches Start on the Dark Web The Research Phase: Building a Target Profile The Lesson Hiding in Plain Sight How...

cybersecurity data breach Mortgage Cybersecurity
Read More
The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish

The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish

Justin Kirsch : May 19, 2025 2:30:00 PM

In this article: The Bait: An Invoice That Looked Right The Hook: A Perfect Clone Behind the Curtain: What Actually Happened How the Phish Got So...

cybersecurity data breach Mortgage Cybersecurity
Read More