Customer story

Fintech / payments processingGlobalAnonymized

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

MITRE T1110MITRE T1110.001MITRE T1078
Book a demoExplore the platform

The situation

A payment services provider ran a high-volume customer portal with mostly password-based auth and low MFA adoption. Unit6 observed multiple groups using AI-augmented brute force and spraying to compromise accounts.

What Unit6 detected

  • AI-powered brute force and password spraying targeting the customer portal.
  • Multiple sets of valid customer credentials being obtained and used.
  • Distinct actor infrastructure across countries coordinating attack logic.

Why it mattered

  • Fraudulent transactions, payouts, and account changes.
  • Exposure of sensitive financial and personal data.
  • Downstream compromise of merchant systems that reused credentials.
  • Brand damage from visible customer fraud at scale.

What Unit6 did

Clamped down on active abuse

  • Provided intelligence on compromised accounts for immediate credential resets.
  • Flagged high-risk IP ranges and infrastructures for blocking or stepped-up challenges.

Pushed strong customer authentication

  • Drove a move to mandatory MFA for customer accounts.
  • Prioritized rollout for high-risk segments and high-value accounts.

Hardened portal defenses

  • Implemented rate limiting and lockout tuned to separate humans from machine-driven attacks.
  • Enabled anomaly detection for impossible travel, unusual devices, and abnormal access patterns.

Improved user awareness

  • Delivered targeted communication on credential hygiene and phishing risks using real attack stories without revealing sensitive detail.

Outcome

  • Compromised accounts reset quickly, limiting ongoing fraud.
  • Provider shifted from optional to default MFA with risk-based controls.
  • AI-driven spray campaigns became far less effective and more costly for attackers.

Unit6 edge

  • Early visibility into AI-augmented brute force tactics before internal alarms fired.
  • Translation of technical detections into product decisions that balanced risk and user friction.
  • Context-rich intel that justified stronger controls to revenue-sensitive stakeholders.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.