Skip Navigation
Get a Demo
Resources Case Studies
Managed Detection and Response

Red Canary detects unauthorized email access, prevents phishing scheme at Fortune 250 company

When a seemingly legitimate user started creating suspicious email forwarding rules in Microsoft 365, Red Canary took notice, quickly alerting the customer to the potential threat and paving way for their rapid response.

DuPont (NYSE: DD) is an innovation leader, developing materials and solutions that transform industries and everyday life. Employees apply diverse science and expertise to help customers advance their best ideas and deliver essential innovations in key markets including electronics, transportation, construction, water, healthcare, and worker safety. The organization has an internal security operations center (SOC) of approximately 10 personnel that protect its endpoints (over 35,000), applications, network, and beyond.

The DuPont Cyber Incident Response Team (CIRT) was clocked out for the day when a Red Canary alert came in at 23:02 UTC. A corporate user at the company had set up a rule to automatically forward their emails to an external mailbox.

The DuPont CIRT was quickly notified of the threat via email and text message, as defined in their Red Canary playbooks. As standard practice, one of their cyber threat analysts then reached out to the user, inquiring about the suspicious activity on their account and prompting them to delete the rule. The user then appeared to create another rule—this one to delete all emails coming from the cyber threat analyst’s account. Red Canary detected this new rule as well.

Recognizing that an unauthorized user had bypassed conditional access policies and gained access to a legitimate DuPont user’s account, the CIRT began the process of turning on privileged identity rules.

Within minutes of gaining access to the authorized user’s account, the adversary sent dozens of phishing emails to DuPont employees. They also created a rule to send any incoming emails containing the same subject line of the phishing emails straight to the authorized user’s Deleted Items folder. Yet again, Red Canary flagged this email rule as suspicious.

“The adversary was trying to be quiet and sneaky so as not to trigger any alarms, but Red Canary caught them.”


The incident was marked remediated just 26 minutes later, at 23:28 UTC. Ultimately, the adversary’s attempt to compromise additional accounts was unsuccessful. The DuPont CIRT rapidly blocked the adversary and scrubbed all phishing messages, stopping the attack in its tracks. As a critical member of the CIRT concluded, “We were able to avoid essentially what could have been a material incident thanks to Red Canary.”

“Red Canary caught something that we would have otherwise missed and that was legitimate, fast-paced, interactive, and bad human activity. It’s not something that Microsoft 365 Defender alone would catch.”


Looking back at the incident, this team member acknowledged Red Canary’s essential role in the company’s rapid response. If it weren’t for Red Canary’s proprietary detections, the unauthorized user’s early-stage activities would have gone unnoticed.

“Red Canary has alert logic built in to identify those suspicious email rules being created—forwarding all emails out of the organization is obviously prohibited. But then we were also alerted when the adversary created a rule to delete all emails from one user, which is generally not valid user behavior.”

“There’s a capability gap in current security solutions, and only one of our tools is capable of filling that gap. There may be other vendors out there that claim to do stuff with Office 365 unified audit log, but Red Canary is the only one I know of that could have detected the suspicious activity we saw.”


With the help of Red Canary’s advanced detection capabilities and automated playbooks, the DuPont CIRT was notified quickly of the threat, enabling them to respond promptly, even during non-working hours. As a result, the adversary’s plans were effectively thwarted, and the company experienced essentially zero business impact.

Back to Top