HackFirstAidMunicipal
Case study

The wire that almost left on a Friday afternoon.

A treasurer's mailbox compromise caught by a paper countersign rule — with eleven minutes to spare.

Size
≈34,000 residents
Vector
Business email compromise (BEC) targeting accounts payable
Jurisdiction
Canadian mid-sized town
Outcome
Wire intercepted at the bank; funds never left; full forensic scope contained over the weekend.

Illustrative composite. Real incident shape, anonymized municipality.

Thursday afternoon. The treasurer receives what looks like a routine vendor email — a paving contractor mid-project asking to update banking details for the next progress payment. The email thread quotes a real prior message. The new bank account is in a different province.

Friday, 2:14pm. Accounts payable cuts the wire — $187,400 — and routes it for the treasurer's second-factor approval. The treasurer hesitates: the town's procurement bylaw requires a paper countersign for any banking-detail change over $25,000, and there isn't one on file.

2:31pm. The treasurer phones the contractor's project manager on the number from the original signed contract — not the number in the email signature. The PM has no idea the change request was sent. The wire is cancelled at the originating branch with eleven minutes before cutoff.

2:55pm. The treasurer notifies the CAO and the cyber insurance carrier in that order. The carrier engages an IR firm; the IR firm pulls Microsoft 365 mailbox audit logs and finds a malicious inbox rule auto-forwarding messages to an external address — set three weeks earlier from a Lagos IP, then deleted.

Saturday. The IR firm scopes the compromise: only the treasurer's mailbox was accessed; OAuth consent grants are clean; no other accounts touched. The mailbox is reset, all sessions revoked, MFA hardware-key-only enforced for finance roles. A short notification goes to the contractor explaining the impersonation.

Monday morning. Council is briefed in-camera. The bank's fraud team is given the receiving account details for their own filing. No funds were lost. The treasurer's procurement-bylaw insistence on a paper countersign is the headline of the report.

What went right. The bylaw's countersign threshold. Calling a number from the contract, not the email. Notifying the carrier before the IR firm engagement (the carrier paid the IR fees). Hardware-key MFA rolled out within 48 hours to finance.

What didn't. Inbox-rule alerting wasn't configured in the M365 tenant — three weeks of mailbox access went undetected. The treasurer's account had been on SMS MFA, which the attacker bypassed with a SIM-swap precursor. Vendor banking-change requests had no out-of-band verification policy until this incident.

Lessons

Things every small municipality can copy.

  • A paper countersign on banking changes is worth more than any tool.
  • Always verify banking-change requests using a number from the signed contract.
  • Enable inbox-rule and forwarding-rule alerts in M365 — they're free and they fire on the actual attack technique.
More case studies

Other mornings worth rehearsing.

Ransomware (known family, decryptor available)

A 12,000-population town's first 90 minutes.

Ransomware across permitting, tax, and utility billing — handled before lunch.

Credential stuffing on a municipal CMS admin account

The defaced library homepage at 11pm on a long weekend.

A CivicPlus credential-stuffing hit, a public-facing page rewritten, and a 19-minute response that kept residents informed.