Customer story

Healthcare / hospital systemNorth AmericaAnonymized

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

MITRE T1078MITRE T1556.004MITRE T1606.002MITRE T1555.003
Book a demoExplore the platform

The situation

A healthcare provider relied on an external claims portal protected by MFA. Unit6 observed a financially motivated actor selling access and the associated MFA seed.

What Unit6 detected

  • Valid username/password for an active portal user.
  • The corresponding TOTP seed enabling full MFA bypass.
  • Evidence the credentials and MFA material had already been tested successfully.

Why it mattered

  • Attackers could log in as a legitimate user while passing MFA checks.
  • Access to browse or export claims data and patient-linked financial records.
  • Pre-ransomware staging to identify high-value internal systems.
  • Regulatory and reputational fallout under healthcare privacy laws.

What Unit6 did

Shut down the compromised identity

  • Disabled the affected account and similarly patterned credentials.
  • Invalidated all TOTP secrets, forcing secure re-enrollment.

Redesigned the authentication posture

  • Moved privileged and sensitive users to phishing-resistant MFA (FIDO2/WebAuthn).
  • Enforced IP geo-fencing and anomaly-based blocking for portal access.

Investigated the root cause

  • Triaged likely infostealer or configuration-file origins for the leak.
  • Reviewed logs for suspicious exports, unusual logins, and privilege escalation.

Aligned with regulatory response

  • Documented evidence timelines that could support potential reporting.
  • Ensured compliance and legal teams had technical detail for communication.

Outcome

  • Attack path closed before PHI theft or ransomware deployment.
  • Authentication upgraded from legacy MFA to phishing-resistant controls.
  • Security leadership demonstrated proactive neutralization of a credential and MFA compromise.

Unit6 edge

  • Detection of MFA bypass artifacts from underground ecosystems not visible to traditional tooling.
  • Contextual risk scoring that distinguishes generic leaks from full impersonation risk.
  • A playbook connecting threat intelligence to identity security and compliance stakeholders.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.