An intern account almost brought down an entire organisation

A few weeks ago, our Incident Response team received an urgent call from an organisation in the education sector. The reason: a systems administrator tried to log in with their Domain Admin account — and the password no longer worked.

That small detail, a password that had been changed unexpectedly, was the only thing standing between the organisation and a full-scale ransomware attack.

What we uncovered during the forensic investigation deserves to be shared.

Night 1: Silent access

The attacker gained access to the infrastructure through the corporate VPN using valid credentials. No multi-factor authentication. No alerts. No friction.

Once inside, at 22:58, they initiated a remote desktop session to the primary Domain Controller using an administrative account. In less than an hour, they:

• Installed a legitimate remote management tool (MeshAgent), renamed to avoid detection and maintain persistent access independent of the VPN.
• Accessed the system's Shadow Copies, most likely to extract credentials, before deleting them to complicate recovery efforts.
• Performed a full scan of the internal network to map the infrastructure.

Nobody noticed. It was 11pm on a Tuesday.

Night 2: Escalation

The following evening, the attacker returned. This time with a clear objective and a structured plan. And this is where the unexpected protagonist of the story appears: an intern account.

Yes, an account created for an intern. With Domain Admin privileges.

Using that account, between 10pm and 3am, the attacker carried out a sequence of actions that any IR team would immediately recognise:

Reconnaissance and preparation

Another network scan. Creation of RDP configuration files. Lists of target IP addresses.

Disabling defences

Using PsExec, the attacker distributed a script that remotely uninstalled the corporate antivirus from servers via WMI. A second script then disabled Windows Defender. Within minutes, dozens of systems were left completely unprotected.

Mass lateral movement

From the Domain Controller, the attacker established RDP sessions to 26 systems across the domain. All using the intern account. All with administrative privileges.

Data exfiltration

At 03:15, the attacker launched a bulk transfer tool to a cloud storage bucket under their control. It was configured to search for office documents, databases, emails, and sensitive files across every shared folder on the network.

Attempted NAS encryption

That same night, the attacker accessed the organisation's four NAS servers over SSH. Logs showed failed automated script execution attempts, consistent with efforts to deploy ransomware against the storage systems. The attempt failed because the tooling was not adapted to the environment.

The morning that changed everything

It was Friday morning, 20 February. A systems administrator attempted to sign in using the Domain Admin account.

Incorrect password.

At the same time, they noticed that the intern account, which had not been legitimately used for weeks, had active sessions across multiple servers.

The incident response process was immediately triggered. Our IR team received the call on Friday and worked throughout the weekend to contain the threat and secure the infrastructure. Within the first hours:

• An advanced EDR solution was deployed across the infrastructure.
• The VPN was disabled.
• All administrative credentials were rotated.
• The compromised account was disabled.

This is not a coincidence. Attackers operate at night, and incidents erupt on Fridays. If the response had waited until Monday, the attacker would have had another 48 hours inside an environment already prepared for encryption.

What this case teaches us

After weeks of forensic analysis, these are the lessons every organisation should take seriously:

A VPN without MFA is an open door

The attacker logged in using valid credentials. Without MFA, nothing stood in their way. This remains one of the most common initial access vectors in ransomware incidents.

Least privilege is not optional

An intern account had Domain Admin rights. That single account enabled access to 26 systems, the disabling of security controls, and the exfiltration of 175 GB of sensitive data.

An antivirus that can be remotely uninstalled is not a defence

The attacker removed the corporate antivirus from servers within minutes using PsExec and a script. An EDR platform with tamper protection would likely have blocked this activity.

Without logs, investigations start blind

This deserves special attention because it was more serious than it first appeared. In this case, VPN and firewall logging had not merely stopped rotating: logging had been completely disabled.

The perimeter firewall was generating no logs at all. No VPN connection records. No traffic logs. No network traces.

As a result, we could not determine which credentials were used for the initial compromise, identify the attacker's source IP address, or fully confirm whether the 175 GB of data had successfully left the network.

We had to reconstruct the incident entirely from endpoint forensic artefacts. Like investigating a crime scene without CCTV footage.

Network segmentation protects infrastructures

From the VPN, the attacker had visibility of the entire network. Every server, every NAS, every workstation. Proper segmentation would have significantly reduced the impact of the compromise.

Early detection was the only thing that worked, and it happened by accident

It was not the SIEM. It was not the antivirus. It was an administrator unable to log in on a Thursday morning.

If the attacker had not changed that password, the ransomware would most likely have been deployed that very night.

What every organisation should have — and many still do not

This case exposes an uncomfortable reality: most of the controls that could have prevented or detected this attack are not cutting-edge technologies. They are fundamental security measures that many organisations still fail to implement.

Centralised logging through a SIEM

It is not enough for a firewall to generate logs. Those logs must be sent to a centralised platform where they cannot easily be disabled, manipulated, or deleted by an attacker, or by a configuration mistake.

A SIEM is not only critical for incident investigations. It is also a requirement for compliance with frameworks such as NIS2, ISO 27001, and national cybersecurity regulations.

Enterprise-grade EDR with tamper protection

The traditional antivirus was removed within minutes using a script. An advanced EDR platform with strong detection, response, and anti-tampering capabilities would likely have blocked both the uninstallation and the malicious activity that followed.

The difference between traditional antivirus and a mature EDR platform is the difference between a lock and a monitored alarm system.

A SOC that complements MDR

Deploying EDR is necessary, but not sufficient.

The MDR service provided by the EDR vendor delivers an initial layer of detection. But a SOC adds the correlation, context, and response capability that truly makes the difference.

Correlating VPN access, mass RDP activity, and antivirus removal across SIEM and EDR telemetry would likely have triggered an earlier response, before the attacker reached the exfiltration stage.

MFA on every remote access point

No exceptions.

Real least privilege, not theoretical least privilege

Regularly review which accounts hold elevated privileges and why.

An intern account with Domain Admin rights is not a small mistake. It is a ticking time bomb.

Is your organisation prepared?

This case is not unusual. It reflects a pattern we repeatedly encounter: VPNs without MFA, excessive privileges, disabled logging, and attackers operating overnight while everyone is asleep.

The difference between "contained incident" and "encrypted organisation" was, quite literally, a changed password that somebody noticed in time.

Not every organisation gets that lucky. And luck is not a security strategy.

At DEFION Security, we help organisations respond to cybersecurity incidents, deploy real detection capabilities (SIEM + SOC + EDR), and strengthen their defences before it is too late.