Customer story

IT services / systems integratorMiddle EastAnonymized

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

MITRE T1110.001MITRE T1078MITRE T1556.001
Book a demoExplore the platform

The situation

An internet-facing ServiceDesk login with shared password patterns drew a burst of authentication attempts. Watcher Network telemetry showed the moment attackers moved from guessing to authenticated exploration.

What Unit6 detected

  • Concentrated brute-force activity against the ServiceDesk login page.
  • Follow-on human-driven interactions indicating at least one successful credential guess.
  • Post-login behavior mixing automated enumeration and manual exploration.

Why it mattered

  • Creation, modification, or deletion of tickets to obscure attacker actions.
  • Resetting passwords or granting access to other systems via IT workflows.
  • Access to internal incident history, infrastructure inventories, and employee details.
  • Impersonation of IT to phish employees or pivot into customer environments.

What Unit6 did

Immediate containment

  • Recommended disabling external access to the ServiceDesk login panel.
  • Revoked active sessions and forced password resets, prioritizing admins.

Compromise assessment

  • Reviewed login and application logs around the attack window.
  • Focused on new tickets, privilege changes, and password-reset actions.

Authentication and access control uplift

  • Introduced MFA and IP allowlisting for ServiceDesk users and admins.
  • Implemented rate limiting, CAPTCHA, and detection for repeated failed logins.

Threat hunting and follow-on defenses

  • Searched for new accounts, anomalous tickets, or configuration changes seeded by attackers.
  • Correlated attacker infrastructure with other Unit6 customers for fleet-wide protections.

Outcome

  • Compromise window narrowed with no evidence of large-scale lateral movement or customer impact.
  • ServiceDesk elevated from exposed target to strongly authenticated, monitored system.
  • Client showed customers they detected and contained an attack before broader incident.

Unit6 edge

  • Ability to separate background brute force from true compromise based on behavioral shifts.
  • Stepwise guidance security and IT operations could implement immediately.
  • Use of Watcher Network intelligence to track attacker infrastructure across tenants.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.