Case Study: Global Marketing Company achieves rapid breach identification, attacker eviction, and strengthened defenses with Palo Alto Networks Unit 42 Incident Response

Global marketing company enlists Unit 42 to investigate a smishing campaign turned data breach

A global marketing company fell victim to a smishing campaign that gave a threat actor access to its admin environment. What began as a suspected single breached account ballooned to 20–30 compromised administrator accounts affecting thousands of users and a dozen connected apps; because the breached accounts were used legitimately by customer support staff, investigators had to separate normal activity from malicious actions under urgent legal and notification pressures.

Unit 42 leveraged threat intelligence to quickly identify the actor (Muddled Libra), analyze logs and anomalies, and contain the incident—blocking malicious IPs and domains, resetting roughly 10,000 credentials, evicting the attacker, and preemptively stopping lookalike-domain and phishing follow-ups. The investigation and remediation were completed in about five weeks, leaving the client with strengthened defenses and concrete recommendations including dark‑web monitoring, lookalike domain registration, and enhanced user awareness training.