#37516 Account compromise, timeline, and actions
Customer Reply
2 Normal
Created Mar 11, 2026, 9:39 PM
Artichoke Support - Peet (internal)
Mar 11, 2026, 9:39 PM
| Started | Ended | Hours | Notes |
|---|---|---|---|
| No time entries | |||
Hi Anna (and all),
I want to walk you through exactly what happened with your email account so you fully understand the sequence of events. I also want to point out some things that should have been red flags with the email that started all of this, so that you and the rest of the team can recognize these in the future.
What Happened
Thursday, February 13 — A phishing email arrived titled “Central Montana Lock & Safe Shared Documents With You Via OneDrive,” sent from the compromised account of a real local business ([email protected]). Microsoft Defender correctly identified this email as a phishing attack and quarantined it. It never reached your inbox; the system did its job.
Saturday-Sunday, February 14-15 - Central Montana Lock & Safe performed real work at the property over the weekend. The phishing email was already sitting in quarantine before this work ever happened.
Monday, February 16 - The real invoice from Central Montana Lock & Safe was delivered to your inbox: “Here is a copy of an invoice for work over the weekend.”
Tuesday, February 17 - You went into your quarantine folder at 9:46 AM, previewed the phishing email at 9:47 AM, and released it from quarantine into your inbox yourself. Because Central Montana Lock & Safe had just done work for you and you had already received their real invoice, you likely assumed the quarantined message was related. But the phishing email arrived on the 13th, beforeany work was done and before the real invoice existed. At approximately 11:55 AM, you clicked...