▶️ Duolingo Phish!
On October 7, 2025, at 04:00 UTC, Maple Tax Solutions experienced the beginning of a targeted cyberattack.
By 04:13 UTC, Defender logs recorded external IP activity from 81.141.209.165, confirming the presence of unauthorized access. The attacker gained remote access to a contractor workstation (MTS-ContractorPC1) using valid credentials. At 04:18 UTC, the attacker retrieved a PowerShell script (kb5029244.ps1) from an external server, further embedding their tools into the environment.
At 06:07 UTC, the attacker modified Defender exclusions and executed systeminfo.exe to gather host details. Nine minutes later, at 06:16 UTC, they established persistence by modifying registry keys onOneDriveStandalone on startup. At 06:38 UTC, they ran mimikatz.exe to extract credentials from memory, gaining elevated access.
At 07:02 UTC, the attacker moved laterally to the domain controller (MTC-DC). By 07:35 UTC, a second external IP (78.141.205.85) accessed the domain controller, indicating continued control and staging.
At 08:00 UTC, the attacker opened a file named Bank_Routing_Number.txt to assess its value. Thirty seconds later, at 08:00:34 UTC, they created a ZIP archive (backup.zip) containing data. At 08:11 UTC, attacker likely uploaded the archive to a public file-sharing site (www.file.io).
The attacker’s use of public infrastructure, credential harvesting, and stealthy data transfer demonstrates a high level of operational efficiency. Their actions impacted the confidentiality of client financial records and the integrity of internal systems. The incident spanned multiple stages of compromise, from initial access to exfiltration, all within a four-hour window.
This case highlights the importance of timely detection, strong access controls, continuous monitoring and the need for layered defense and rapid response capabilities.
Analyst: Toukee Vang
Initial Access
On October 7, 2025, at 04:07:58 UTC, an attacker successfully authenticated to Maple Tax Solutions’ contractor workstation (MTS-ContractorPC1) via Remote Desktop Protocol (RDP). The login originated from IP address 81.141.209.165 using valid credentials for the local administrator account MTS-Contractor\\administrator.
Just prior to this, a failed login attempt was recorded from IP address 142.90.213.242, suggesting reconnaissance or credential testing before the successful breach. The attacker’s use of valid credentials and familiarity with the environment indicates prior knowledge, possibly obtained through phishing, credential reuse.
MTS-ContractorPC.81.141.209.165) is geolocated in Europe, which violates Maple Tax Solutions’ remote access policy restricting logins to Canada-only regions.