← Blog

Anatomy of a breach: how attackers actually move, step by step

Tenant Strike4 min read

A real breach is rarely one dramatic moment. It is a chain of small steps, each one ordinary. Seeing the whole sequence shows you where it can be broken — and how breaking one link stops the rest.

In the movies, a breach is one dramatic moment — a progress bar hitting 100% and the word ACCESS GRANTED. Real attacks look nothing like that. A real breach is a chain of small, individually unremarkable steps, each one setting up the next. That's actually good news, because a chain can be broken at any link — and breaking one link stops everything after it. Here's how an attack typically unfolds, and where you can cut it.

Step 1: Research

Before anything else, the attacker learns about you. They read your website, your team's LinkedIn, your social posts. They figure out who handles money, who's in charge, what software you use, and who your suppliers are. None of this touches your systems; it's all public. The output is a target list and the raw material for a convincing approach.

Where you cut it: be deliberate about what you broadcast, and assume anyone interesting to a customer is also interesting to an attacker.

Step 2: The way in

Next, the attacker needs a foothold. For small businesses, the way in is almost always one of a few: a phishing email that captures a password, a reused password leaked from someone else's breach, a convincing scam call, or an unpatched system exposed to the internet. Note what's missing — sophisticated hacking. The front door is usually a person or a known, fixable weakness.

Where you cut it: multi-factor authentication and unique passwords defeat stolen credentials; a wary team defeats the phishing and the calls; keeping systems patched closes the technical doors.

Step 3: Quiet expansion

Once in, an attacker rarely acts immediately. They look around. From one compromised mailbox they read messages to understand your business, set up a hidden forwarding rule to keep watching, and look for ways to reach more — other accounts, shared files, the systems an administrator can touch. They're trying to turn a small foothold into broad access, and they prefer to stay invisible while they do it.

Where you cut it: limiting each account to what it actually needs (so one foothold doesn't reach everything), and watching for the tell-tale signs — new forwarding rules, logins from odd places, unusual access — catches them in this quiet phase, which is where you have the most time to respond.

Step 4: The damage

Finally, the attacker acts on the goal. That might be business email compromise — sending a fake invoice or rerouting a payment from a real, trusted mailbox. It might be stealing data to sell or to extort. It might be deploying ransomware across everything they can reach. Whatever it is, this is the loud part, and by the time you notice, the earlier steps are long done.

Where you cut it: tested backups turn a ransomware attack into an inconvenience; out-of-band verification of payments defeats invoice fraud; the limits you set in Step 3 cap how much any one foothold can ultimately do.

The point: you don't have to win every step

The reassuring truth in this sequence is that the attacker has to succeed at every link, and you only have to break one. They can do all the research in the world, but if a stolen password hits enforced multi-factor authentication, the chain stops at Step 2. They can get into one mailbox, but if that account can't reach much, Step 3 stalls. They can attempt ransomware, but if your backups are solid, Step 4 fizzles.

This is also why thinking in chains is more useful than chasing a single magic fix. Security isn't one wall; it's several modest hurdles, any of which can end the attack. A small business doesn't need to be impenetrable. It needs enough good links that the chain breaks somewhere.

Seeing your own chain clearly is the hard part, because the weak links hide in dozens of settings. This is exactly what Tenant Strike is built for: it connects to your Microsoft 365 and Azure in read-only mode, and instead of a list of disconnected issues, it shows you the actual attack paths — which weaknesses combine into a real break-in, and the single fix that breaks each chain. Five minutes gives you the map an attacker would have to work months to build.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.