You’re not too small — you’re the right size
Most small business owners assume ransomware crews are chasing hospitals and banks. The reality is closer to home. Businesses with 10 to 50 people get targeted constantly, because they have real money and real data but rarely a dedicated team defending it. You’re not too small to be worth the trouble. You’re the right size to be easy.
I want to walk you through exactly how this plays out, because once you’ve seen the steps, the fixes stop feeling like a mystery — and stop feeling expensive. What follows is an attack on a small professional-services firm, written from the attacker’s side. The company is a composite, not a real client, but every step matches how these attacks actually run today. At the end, I’ll show you five ordinary points where the whole thing falls apart, most of them using tools you already pay for.
A note on the voice. The walkthrough below is written in the attacker’s voice on purpose — not to scare you, but to make the steps concrete. There are no made-up statistics here and no doom. Just the actual playbook, and where it breaks.
The week your business got attacked
Monday: how I picked you
I run a small operation and keep regular hours. My list runs about 40 prospects a month, and I like businesses between 10 and 50 people. It’s an economics call. Big companies have security teams, incident-response retainers, and lawyers who make my work slow and expensive. Sole operators rarely have enough on the line to bother with. A firm with a couple dozen staff sits in the sweet spot: payroll, a client database, project files, vendor relationships, and an owner who will pay to get all of it back.
I didn’t find you through a breach or a tip. I found you in public records — a state business registry, a professional licensing board, county filings. Those sources hand me your company name, your registered agent, your own name, a rough read on your revenue, and a sense of who to aim at inside the business. One search did most of it.
The fact that nothing has gone wrong at your company yet is the best signal I get. It tells me your passwords probably still work, your staff hasn’t been trained to notice anything, and nobody’s had a reason to change a thing. A clean history is exactly what I look for.
Tuesday: building your org chart for free
About 40 minutes in a browser, no cost.
LinkedIn hands me eight of your employees with their titles. Your office manager has been there six years and lists “accounts payable, payroll, and vendor invoicing” right in her profile. Your second admin started 14 months ago. Your own profile is sparse with few connections, which tells me you probably won’t notice when someone unusual starts poking around your company page.
Public filings confirm your legal business name and your full name. A “meet the team” post from two years ago on your Facebook page gives me first names and faces, including someone who helps out a couple of days a week. One commenter shares your last name.
Now I know who handles your money, what she’s called, how long she’s been there, what software she probably uses (I’ll check your old job ads for “QuickBooks or Sage”), and who can approve a payment without a second set of eyes.
That last person is who I’m really after. You’re harder to reach and probably more careful. Your office manager has system access, pays vendors, and is busy enough that one more email in her inbox doesn’t get a second look.
Still haven’t spent a dollar.
Wednesday: I bought your credentials for $14
Stealer logs are credential bundles pulled off someone’s personal device by infostealer malware, often months or years earlier. The malware records the usernames and passwords typed into the machine, then the data gets packaged and sold. Marketplaces let buyers search those logs by company email domain.
I search your domain. Two hits come back. One is your office manager’s work email, with a password that looks browser-saved. The other is a personal Gmail that appears to belong to a family member of yours — probably a device that once shared a home network.
I pay $14. It takes four minutes.
Your office manager’s password is a familiar shape: a name, a year, and an exclamation point. I check it against Have I Been Pwned — the same free database security pros use — and it turns up in a retail loyalty-program breach from three years ago. Never changed since.
The family member’s login is the interesting one. The same password, with small tweaks, shows up on a streaming service, a game account, and your company’s Microsoft 365. It works. The only thing between me and the inbox is the second factor.
Total so far: $14.
Thursday: getting past your MFA
Multi-factor authentication stops a lot of attacks. How it’s set up matters more than whether the box is checked.
The lazy approach — spamming approval prompts until someone taps “yes” — doesn’t work here. Since May 8, 2023, Microsoft has required number matching by default on Authenticator push notifications, so she’d have to read a number off her login screen and type it, not just tap approve. Push-bombing fails against that.
What still works is adversary-in-the-middle phishing. I send her an email dressed up as a routine Microsoft 365 password-reset notice, and I cite the real breach her password appeared in — the same one I found earlier in the week. The link goes to a page that looks exactly like the Microsoft sign-in screen. It’s a proxy I control.
When she types her password and approves the MFA prompt, my proxy passes both straight to the real Microsoft login. Microsoft checks the credentials, completes the MFA challenge, and hands back a session token — to my proxy. I capture the token. She sees a normal login and a “password updated successfully” message, and goes back to work.
Now I’m signed in as her. The MFA prompt genuinely succeeded; the session just lives in my browser instead of hers. To Microsoft, it looks like a valid, authenticated session.
I had a backup in case she didn’t click. Earlier that day I called your front desk pretending to be your IT company, using a name I pulled from a Google review you left a year and a half ago. I said we’d flagged unusual login activity on the office manager’s account and needed her to approve a quick verification push. She was away from her desk. No problem, I said — I’ll try again later. Cost me nothing.
By Thursday night I’m inside her Microsoft 365 account. I set up a rule to quietly copy her incoming mail to an address I control, and I wait.
Friday, 2:47 pm: why I waited 36 hours before encrypting
I read email for a day and a half before I encrypt anything. That waiting is how I price the ransom.
In those 36 hours I find your cyber-insurance policy, attached to an email from your broker, with a clear sub-limit for cyber claims. A bank reconciliation your office manager sent two weeks ago shows roughly what sits in your operating account at month end. Your client list is in a quote template she emailed to herself. A thread with a client mentions an engagement starting in three weeks, with a hard deadline you can’t afford to miss.
So I set the ransom where I know it lands: low enough that paying is easier than fighting, high enough to be worth my time, and inside what I know you can actually reach. Ask for too much relative to what someone has on hand and they dig in. I stay under that line.
I trigger the encryption at 2:47 pm on Friday. The timing is deliberate. Your bookkeeper leaves at 3 on Fridays — I saw it in an out-of-office reply. You’re on a job site, your calendar synced to the shared inbox. The person most likely to spot something wrong is already gone, and the person who can make decisions is unreachable.
By the time anyone understands what happened, it’s Friday evening, the shared drive is encrypted, and there’s a ransom note on every screen in the office.
Total cost to me: $14 for the credentials and a few hours of work spread across the week.
Five places this attack dies
The attack worked because five ordinary things weren’t in place. None of them were expensive. Most were already bundled into security tools you already pay for.
1. The credential purchase (Wednesday)
The stolen password worked because it was reused and never changed. Two cheap habits break that. Have I Been Pwned is free — anyone can check an email or password against known breaches. And a password manager that generates a unique password for every account makes a single stolen credential worthless everywhere else.
One myth worth clearing up: people assume Microsoft Entra Password Protection covers this. It helps, but not the way they think. It blocks weak and common passwords, plus any terms you ban (your company name, local sports teams) and their obvious variations — it does not check passwords against breach databases like Have I Been Pwned. For known-leaked credentials you want unique passwords per account and, if your licensing includes it, Entra ID Protection’s leaked-credential detection. The takeaway: don’t assume the password box is fully handled. Confirm it.
2. The MFA bypass (Thursday)
Microsoft already kills the lazy push-bombing attack — number matching has been on by default since May 2023. The bypass that still works is adversary-in-the-middle phishing. The defenses that beat it: phishing-resistant MFA (FIDO2 security keys, passkeys, or Windows Hello for Business), Conditional Access that requires a known, compliant device, and the anti-phishing protection in Microsoft Defender for Office 365. Any one of those either stops the session token from being captured or makes a stolen token useless from my machine. This is the single highest-value change on the list.
3. The mail-forwarding rule
Microsoft 365 blocks automatic forwarding to outside addresses by default in most tenants, and an admin can lock it down further across the whole organization. With that in place, the rule I used to siphon 36 hours of email simply fails. I might still encrypt, but I’m guessing at the ransom instead of pricing it off your bank balance.
4. The 36 hours of quiet snooping
Microsoft Defender (included in Microsoft 365 Business Premium) raises an alert when someone creates a new mail-forwarding rule — one of the highest-confidence signs of a hijacked account there is. If anyone had been watching those alerts, or if they were routed somewhere a human actually looks, I’d have been caught Thursday night. For most businesses your size, the biggest security upgrade isn’t a new product. It’s having someone actually read the alerts the tools you already pay for are already generating.
5. The public records
You can’t unpublish a state registry or a licensing record — that data stays public, so accept it. What you can shape is what your team volunteers on top of it. Your office manager’s profile spelled out her exact financial duties, which is what made her the obvious target. That’s worth a five-minute conversation with your team — framed as “here’s how attackers use this,” not as a rule about what people can post.
Three questions to send your IT provider
These cover most of where the example attack failed. Each one maps to a control that usually comes bundled with tools you already pay for.
- Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and owner logins?
- Is automatic external email forwarding blocked across our tenant?
- Are our security alerts going somewhere a human reviews — and who is reviewing them?
If you get vague answers back, that’s information too.
From us, plainly. This is the kind of thing we handle for clients by default at Harmony MSP — security isn’t an upsell bolted onto the IT package, it’s built into it. If you’d rather just have someone confirm these three things are locked down on your setup, we’re in Lake Mary and happy to take a look. No pressure and no fear pitch — you’ve had enough of those.
FAQs
Do attackers really target small businesses?
Yes. Small and mid-sized businesses get hit constantly, because the ratio of payout to defensive resources is better than at either extreme of company size. The range that draws the most attention is roughly 10 to 50 staff — enough worth taking, but rarely a dedicated team defending it.
What is adversary-in-the-middle (AiTM) phishing?
It’s a technique where the attacker runs a proxy page that mirrors a real login screen, like Microsoft 365 or Google Workspace. When the user enters their credentials and approves the MFA prompt, the proxy captures the resulting session token. The real service treats the login as successful, but the session ends up in the attacker’s browser. AiTM has become the dominant credential-based attack against Microsoft 365 since number matching shut down the simpler push-bombing attacks.
What is a stealer log?
A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The logs include browser-saved passwords, session cookies, and stored tokens, and they sell on underground markets for roughly $10 to $20 a package. The malware usually gets onto personal computers through pirated software or malicious browser extensions.
How much does it cost an attacker to compromise a small business?
In the walkthrough above, the total spend was $14 for stolen credentials and a few hours of work. Costs vary, but the bar to attempt the kind of attack described here sits well below $100.
Are there free tools that would have stopped this?
Several of the controls in the walkthrough come bundled with the Microsoft 365 Business Premium licenses that businesses in this size range usually already hold. Blocking external forwarding and watching Defender alerts are configuration changes, not new purchases. Have I Been Pwned is a free check available to anyone. Phishing-resistant MFA keys are a small per-user cost next to the price of a single ransomware incident.