A 4-Operatory Dental Practice, a $48K Wire, and the Inbox Rule That Almost Worked

Most wire-fraud calls into Obsidian Ridge start the same way: an office manager on the phone, voice tight, asking whether the bank can pull a payment back. This one was different. The practice owner called to say thank you — the wire never went out at all.

Situation

A 4-operatory single-location dental practice in the Mid-Atlantic. Twelve staff, Microsoft 365 Business Premium, Dentrix on a local server. The practice manager handles billing, lab orders, and most vendor payments — the usual single-point-of-trust setup in a small dental office.

Cyber insurance was up for renewal in ninety days. The practice had recently added Obsidian Ridge's Protected tier — MDR, Managed ITDR, and security awareness training — after the office manager attended a state dental association talk and walked out unsettled. That decision is the only reason this case study exists.

Detection

Tuesday, 2:14 PM. The office manager received an email styled as an ADA membership renewal and clicked through to what looked like a clean Adobe sign-in page. She entered her M365 password, approved the Authenticator push, and the page redirected to a generic landing. Nothing felt wrong.

The page was an adversary-in-the-middle proxy — an EvilProxy variant, per the Huntress ITDR classification — that captured both her password and the post-MFA session token. Within seconds the kit replayed that token from a foreign IP and signed in as her, fully authenticated, no second prompt.

Then it did the thing that gives this attack pattern away. It created a mailbox rule:

• Match: wire OR ACH OR routing OR "account number"
• Forward externally to a throwaway Outlook address
• Mark as read, move to RSS Subscriptions

That rule is a well-known wire-fraud staging signature. Within eleven minutes, Huntress Managed ITDR fired three correlated alerts: impossible-travel sign-in, anomalous mailbox rule creation matching the wire-fraud pattern, and an OAuth consent grant to an unrecognized third-party app.

The office manager was still seeing patients. She did not know any of this had happened.

Response

Huntress' 24/7 SOC revoked the active session and disabled the OAuth consent grant as the first containment action — kill the stolen cookie, because a password reset alone does not. Obsidian Ridge's on-call practitioner was on the phone with the practice owner within fourteen minutes of the initial click.

The malicious mailbox rule was preserved for forensic capture, then removed. The password was force-rotated, MFA was re-registered to a fresh authenticator profile, and every active session across every device was revoked in one sweep.

A thirty-minute review through Unified Audit Log and Entra sign-in logs confirmed the scope: no patient records accessed, no other mailboxes touched, no outbound mail sent. The attacker set the trap and never got to spring it.

Sitting in her inbox, received but not yet paid, was the dental lab's monthly invoice — $48,000. That was the wire the rule had been built to redirect.

Outcome

• The $48,000 lab payment proceeded normally three days later, paid to the correct account after an out-of-band callback
• Zero patient records exfiltrated, no HIPAA Breach Notification Rule trigger
• Cyber insurance renewal proceeded at standard rating with a one-tier improvement, attributable to the documented MDR, ITDR, and SAT program
• The forensic record was packaged for the carrier as a near-miss event with documented controls — the kind of file underwriters favor at renewal review

Controls that mattered

1. Huntress Managed ITDR's mailbox-rule anomaly detection. The wire / ACH / routing keyword pattern is a known BEC signature, and the detection fires within minutes of rule creation, not after the wire goes out.
2. 24/7 SOC plus a practitioner on-call. The owner did not have to interpret an alert at 2:14 PM in the middle of patient care. Someone else read it, contained it, and called her.
3. Session-token revocation as the first move. Not a password reset. AiTM attackers hold a cookie, not a credential — kill the cookie.
4. Audit-log preservation before rule deletion. Forensics first, cleanup second. The insurance file needed the evidence intact.
5. Pre-existing relationship. The on-call number was already in the office manager's phone — not on a sticky note in a drawer.

What did not save the day

The office manager's MFA. AiTM kits like EvilProxy, Tycoon, and Mamba 2FA bypass MFA by stealing the post-authentication session token — once that cookie is replayed, the tenant treats the attacker as fully authenticated. Detection at the identity-behavior layer is what catches this. MFA is necessary but not the finish line.

What the practice changed afterward

• Out-of-band callback verification for any payment-instruction change, no exceptions — even from the regular lab they had worked with for eight years
• The office manager and bookkeeper completed a focused 20-minute SAT module on payment-redirect themes
• A quarterly tabletop exercise was added to the cyber insurance renewal file

Disclosure

This case study is an anonymized composite drawn from patterns Obsidian Ridge sees across small dental practices. Timestamps, dollar amounts, and operational details have been adjusted to protect the practice's identity and align with publicly documented attack patterns. The TTPs described — AiTM session-token theft and mailbox-rule wire-fraud staging — are real and well-documented in the 2024–2025 Coveware quarterlies, the Sophos State of Ransomware in Healthcare 2024 report, FBI IC3 BEC public service announcements, and HHS OCR breach disclosures. No single client is identifiable from this narrative.

---

If you run a dental practice and want to know what the Protected tier actually does on a Tuesday afternoon, start at the dental practice page or read The Briefing for weekly write-ups of patterns like this before they reach your inbox.