What 90 Days of Monitoring Revealed About Modern Cyber Threats

Cyber security threats do not always arrive in the form of ransomware or high-profile data breaches, many attacks begin with small warning signs that go unnoticed.

Over the last 90 days, our Huntress powered Security Operations Centre (SOC) has investigated suspicious logins, hidden email forwarding rules and insecure password storage practices across business environments. These issues represent some of the most common cyber security risks facing organisations today.

Individually, these incidents may not seem serious, but together they create opportunities for attackers to gain access, remain undetected and move through systems without raising immediate suspicion.

The findings offer a useful reminder that some of the biggest security risks are often the easiest to overlook.

Suspicious logins and unusual account activity

One of the most common issues identified during the last quarter involved unusual login behaviour. This included sign-ins from unfamiliar locations, impossible travel events and activity outside normal working patterns. While not every alert indicated a compromised account, they often highlighted behaviour that warranted further investigation.

In many cases, these alerts revealed:

• Access attempts from unexpected locations

• Sign-ins from devices not previously associated with the user

• Activity occurring outside established working hours

• Authentication patterns inconsistent with normal user behaviour

Cyber criminals frequently rely on stolen credentials rather than sophisticated malware, if a legitimate account can be accessed, an attacker may be able to operate without triggering traditional security controls.

This is why monitoring user activity remains an important layer of defence. Detecting unusual behaviour early can help prevent a minor incident from becoming a larger compromise.

Hidden email rules and mailbox manipulation

Another recurring issue was suspicious mailbox rules, while email rules are meant to help users manage their inboxes, attackers often misuse them once they have gained access to an account.

A compromised mailbox may be configured to:

• Automatically delete incoming emails

• Move messages to hidden folders

• Forward emails to external addresses

• Conceal security alerts and password reset notifications

These changes can allow attackers to maintain access for extended periods without attracting attention and because mailbox rules operate quietly in the background, they can remain undetected for weeks or even months. During that time, attackers may monitor communications, gather information and prepare for further attacks.

Regular mailbox reviews and ongoing monitoring can help identify suspicious changes before they cause significant damage.

Passwords stored in documents and spreadsheets

The third trend identified involved passwords being stored in unsecured files.

Alerts highlighted the presence of documents, spreadsheets and notes containing passwords or sensitive login information. While often created for convenience, these files can present a significant security risk.

If a user account or device is compromised, attackers may gain immediate access to additional systems without needing to crack passwords or bypass security controls.

Common examples include:

• Password lists stored in spreadsheets

• Login details saved in text documents

• Shared files containing administrative credentials

• Documents containing credentials for third-party services

Although this practice remains common, it significantly increases risk.

Password managers provide a far more secure alternative by encrypting credentials and restricting access to authorised users.

What these findings tell us

The most significant lesson from the last 90 days is that attackers do not always rely on advanced techniques. More often, they take advantage of overlooked settings, compromised credentials and everyday habits that create opportunities for unauthorised access.

Suspicious logins, hidden email rules and exposed passwords may seem unrelated, but they share a common theme, which is that each creates a pathway that allows attackers to operate without immediately attracting attention.

Effective cyber security is not only about preventing attacks, but also about identifying the small indicators that suggest something is wrong and responding before a minor issue becomes a serious incident.

Key actions for businesses

Every organisation should regularly review the following areas:

• User login activity and authentication logs

• Mailbox forwarding rules and inbox configurations

• Password storage practices across the business

• Use of password managers and multi-factor authentication

• Monitoring and alerting capabilities

These checks are straightforward to implement and can significantly reduce the likelihood of a successful attack.

The threats we encounter most often are rarely the headline grabbing incidents that make the news. More often, they are subtle warning signs hidden within everyday activity. Recognising those warning signs early remains one of the most effective ways to strengthen your organisation's cyber security.

The findings from the last 90 days highlight a simple point, the greatest cyber security risks are often not the most obvious ones. Suspicious logins, hidden email rules and exposed passwords can all go unnoticed without the right visibility and monitoring in place.

How DNS can help

At DNS, we choose our customers as carefully as they choose their IT provider. We believe managed IT support and cyber security should be built on trust, collaboration and a shared commitment to best practice.

Rather than working with every organisation, we focus on building long term partnerships with businesses that value proactive support, strong security and strategic guidance.

If that sounds like the type of relationship you're looking for, please get in touch with our team, we'd be delighted to speak with you.