INTERNAL DOCUMENT - CONFIDENTIAL

Helpdesk Log - November 15, 2024

IT Support Ticket System - Morning Incident Timeline

Time Ticket # User Issue Description Status
09:12 AM HD-4471 Sarah Mitchell (Accounts) Received "Cloud Backup Renewal" email - clicked link - now can't log in. Says password not working after entering it on renewal site. Escalated
09:18 AM HD-4472 James Chen (Sales) Got same backup renewal email. Looks suspicious - domain is "tecknova.com" (missing 'h') Noted
09:26 AM HD-4473 External Customer Received invoice #INV-4486 with different bank details than usual. BSB changed to 033-547. Critical
09:28 AM HD-4474 External Customer Invoice has wrong bank account. Already paid $3,400 to new account! Critical
09:32 AM HD-4475 External Customer Invoice formatting looks different. Bank: ANZ instead of Commonwealth. Critical
09:40 AM HD-4476 IT Support Password reset completed for Sarah Mitchell. Forced logout all sessions. Resolved
09:45 AM HD-4477 Security Team ALERT: Multiple customer complaints about altered invoices. Initiating incident response. In Progress
10:05 AM HD-4478 Security Audit File server audit shows 23 invoice PDFs accessed from IP 203.0.113.45 between 10:01-10:15 AM. See access log. Investigating
10:15 AM HD-4479 Michael Torres (Security) Confirmed: Phishing email led to credential theft. Attacker accessed invoice directory. Security memo drafted. Confirmed

Notes from IT Support

Dave Wilson (IT Support Lead):

"The phishing email was very convincing. It used our company colors and looked like it came from CloudSafe, our actual backup provider. The link went to 'backups-secure.net' which looked legitimate but was actually a credential harvesting site."

"Sarah entered her credentials thinking it was the real CloudSafe portal. The attacker then used her account to access the shared drive where we store customer invoices. They downloaded 23 files and appear to have modified them with different bank details."

Check with the chat support staff for more details about what they observed.