Customer story

Outsourcing / workforce management / BPOEMEAAnonymized

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

MITRE T1190MITRE T1078MITRE T1110.003MITRE T1556.006
Book a demoExplore the platform

The situation

An outsourcing provider ran several internet-facing portals with limited MFA. Unit6 telemetry flagged unrelated actors converging on the same environment.

What Unit6 detected

  • Unauthenticated kiosk application exposed via a misconfigured IIS server.
  • Valid credentials for internal payroll and employee systems with proof of payslip access.
  • Active password spraying against the HR portal with no throttling or MFA.

Why it mattered

  • Access to HR and payroll data, including salaries and personal identifiers.
  • Tampering with payroll records or payment details.
  • Follow-on compromise of VPNs, admin portals, or production systems via HR-linked identities.
  • Regulatory and employee-relations fallout from bulk data exposure.

What Unit6 did

Rapid credential and access hygiene

  • Rotated credentials for confirmed compromised accounts and invalidated active sessions.
  • Introduced canary credentials to detect reuse attempts.

Segmentation and hardening of exposed services

  • Restricted kiosk exposure through firewall controls and IP allowlisting.
  • Drove a configuration and patch review for the IIS server.

Strengthened HR and payroll authentication

  • Implemented MFA across HR and payroll systems.
  • Added login throttling, geo-fencing, and abnormal login alerts.

Campaign-level threat hunting

  • Correlated timestamps across HR, payroll, and kiosk logs to separate noise from targeted abuse.
  • Distinguished opportunistic scanning from credential-driven intrusion.

Outcome

  • Active compromises contained and exposed attack surface reduced within weeks.
  • HR and payroll shifted from soft targets to hardened, monitored assets.
  • Security leaders gained a campaign-level view that unified previously siloed alerts.

Unit6 edge

  • Actor-centric view that identified multiple groups converging on one organization.
  • Correlation of exposed apps, credentials, and live attack traffic into one narrative for executives.
  • Practical guidance to make legacy HR/payroll systems security-aware without breaking operations.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.