Containing a credential-stuffing attack at a UK fintech
An FCA-regulated fintech detected unusual sign-in activity across its customer portal at 23:14 on a Tuesday. By Friday morning the attack was contained, the FCA had a forensic timeline and risky sign-ins were down 92 percent.
The challenge
A 90-person UK fintech, FCA-regulated and serving 180,000 retail customers, detected anomalous authentication patterns through their existing Microsoft Sentinel deployment. Alerts were firing, but the in-house team finished at 18:00 and the on-call rota covered infrastructure, not security.
Three days of low-volume credential-stuffing had already produced 41 successful logins from previously-unseen residential IP addresses across Eastern Europe and South-East Asia. Customers had not yet reported anything, but the regulator window was closing fast: notification was required within 72 hours and the team had no formal forensic process.
The board needed an answer to two questions before close of business Friday: how exposed are we, and how do we make sure it does not happen again.
Our approach
Hour 0 to 24: triage and containment
We engaged within 90 minutes of first contact, took a read-only feed from Sentinel and produced a triage report by 09:00 the next morning identifying the affected accounts, the attacker tooling and the entry vector (an exposed legacy auth endpoint that bypassed MFA).
Day 2 to 5: hardening sprint
We disabled the legacy endpoint, forced password resets and stepped-up MFA enrollment for the affected cohort, and pushed Conditional Access risk policies into block-mode for unfamiliar geos. We rotated the 11 service-principal credentials with the highest blast radius.
Week 2: 24/7 SOC stand-up
Within 10 working days we had a fully managed SOC running on the existing Sentinel tenant, with 38 high-fidelity detections mapped to MITRE ATT&CK ICCD techniques and a published 15 minute P1 acknowledgement SLA. No new tooling. No agent rollout. No procurement.
Week 3: forensic close-out
We delivered a full forensic timeline acceptable to the FCA and the cyber insurer, including the indicators of compromise, the actions we took, the residual risk and the ongoing monitoring posture. The insurer accepted the report without question.
Results delivered
- Containment achieved within 96 hours of first contact, with no customer notification triggered
- Forensic timeline accepted by both the FCA and the cyber insurer at first review
- 92 percent reduction in risky sign-ins by end of month one, and 100 percent by month three
- 38 production-tuned detections, eliminating 71 percent of legacy alert noise
- Mean time to acknowledge P1 alerts: 6 minutes (SLA: 15 minutes)
- Annual cyber insurance premium reduced by 22 percent at renewal six months later
“FACG turned an out-of-hours panic into a structured, evidence-backed response. They did not stop until the FCA letter was signed off and the board was comfortable. Renewal-time premium reduction was the bonus we did not budget for.”