Within the United States Department of the Treasury, there exists an Office of the Comptroller of the Currency (OCC). The mission of the OCC is to ensure the safety and soundness of the U.S. banking system, and it monitors all bank-related things like assets, earnings, and even the IT infrastructure of banks. And while the OCC was making sure its constituent banks were following cybersecurity and compliance standards, they didn’t realize that there was a malicious threat actor within their own systems evading detection while reading confidential emails and documents.
In February of 2025, the OCC announced publicly that they had detected a breach where attackers using administrative accounts had gained access to more than 100 employee email accounts and more than 150,000 emails. And they had been inside OCC systems for more than a year. The communications they were able to view included financial supervision information, national security data related to cybersecurity and vulnerability reports, and confidential bank financial information. Ultimately, it required a team of Microsoft engineers conducting advanced threat hunting to determine that a breach had occurred, a testament to how well hidden and organized this threat actor group was.
Defending Against Hard-to-Detect Email Threats
Modern email threats are becoming increasingly sophisticated, often bypassing traditional security filters and targeting users with highly convincing phishing, spoofing, and business email compromise attacks. They don’t simply rely on emails to deliver their payload, but can use drive-by website attacks, making web browsing a risky activity. Since users now access emails from multiple devices, including personal cell phones and computers, the attack surface of email accounts has increased in a way that is not easily seen.
At Network 1, our approach to overcoming these types of attacks combines access controls, security platforms, and user awareness to identify and neutralize even the most elusive threats before they can cause harm.
- Account Access Restrictions: We enforce controls on accounts and log-in points and regularly review access rights to minimize the risk of unauthorized entry and lateral movement within email systems.
- SIEM Alerting: Our Security Information and Event Management (SIEM) platform continuously monitors email activity, generating real-time alerts for suspicious behavior and enabling rapid incident response.
- Security Reviews: We conduct ongoing security assessments and audits of email environments to identify vulnerabilities, ensure compliance with best practices, and adapt to emerging threats.
The OCC incident proves that even the most secure federal agencies need specialized and proactive monitoring. Waiting for Microsoft to let you know that you’ve been compromised is not how any business should operate. We ensure our clients are never in the dark by providing Managed Detection and Response services to prevent the nuanced, stealthy access methods used in the OCC attack. We enforce controls on email accounts and use advanced tools to spot anomalies long before they become problems. Don’t leave your most sensitive data and client communications to chance; let our expertise be your invisible line of defense.
Comments are closed for this post.
