6 MIN READ · Feb 26, 2026

The 4 a.m. Download That Wasn't Supposed to Look Wrong

The 4 a.m. Download That Wasn't Supposed to Look Wrong

A while back, a hardware manufacturer got hacked. The threat actors took device credentials with them. A few weeks later, those same credentials walked into one of our clients' networks, looking exactly the way they were supposed to look. The login was legitimate. The session was legitimate. The download was the size of a problem. At 4:00 a.m., on a normal-business network, somebody was pulling a tremendous amount of data out, and every authentication check in the stack was waving them through.

This is the story of what almost happened, and the small thing that stopped it.

The 60-second version

  • What the attacker had: Real, valid credentials, stolen from an upstream hardware manufacturer that had been breached. Every login check passed.
  • What gave them away: The timing. SentinelOne's EDR flagged the anomaly: a large download running at 4 a.m. on a network that doesn't normally move data at 4 a.m.
  • Who made the call: The 24/7 SOC analyst, looking at the alert in real time. The analyst's read: even though the credentials were valid, the volume of data being downloaded at 4 a.m. didn't look right.
  • The decision: The SOC called our NOC. The NOC confirmed. We shut it down.
  • The counterfactual: Without the SOC reading the behavior, the client would likely have been encrypted, ransomed, and possibly had data deleted. Catastrophic.

The detection

The way the breach surfaced is worth slowing down on, because it's the part that usually gets skipped in writeups.

The credentials were correct. The user account was a real user. The endpoint was a real endpoint. None of the rules-based tooling (the kind that asks "is this person allowed to log in?") had any reason to flag the session. From the perspective of identity and access, this was a normal Tuesday at 4 a.m.

What SentinelOne flagged wasn't the who. It was the when and the how much.

There was a manufacturer that recently had an issue where they were hacked. In this instance, it looked like everything was performing correctly in this client's environment. The download that was happening had all the right credentials. SentinelOne didn't just flag it. It said, hey, why is this being downloaded this particular time?



— Farzad Vahid, CEO, Fornida

A tool noticing a behavioral anomaly is one thing. A tool noticing it at 4 a.m. and getting a person to actually look at the alert before encryption starts is something else. That's the SOC's job, and it's the part SMBs underestimate when they shop for cybersecurity.

The SOC called us, called our NOC, and said, hey, look, even though all the credentials are there, there's a tremendous amount of data being downloaded at 4:00 AM. This doesn't seem right.



— Farzad Vahid

A judgment call, made by a person, about a piece of data the tool surfaced. Not a workflow. Not a ticket. A phone call.

How we got there

Once the SOC raised the alarm, the response window was short. Confirm the anomaly. Shut down the session. Then back-trace.

We looked at it and said, this is not right. Shut it down. So we shut it down. We went and did some digging and found out that yes, a threat actor was downloading information, but they had the right credentials, because the manufacturer had a leak. They were actually hacked.



— Farzad Vahid

The credentials weren't compromised at the client. They were compromised upstream. A hardware manufacturer the client did business with (the kind of vendor every SMB has on their shelves and in their stack) had been breached, and credentials tied to that vendor's products had been carried into other environments by the threat actors.

The client did nothing wrong. Their MFA was in place. Their patching was current. Their endpoints were managed. And the attacker walked through the front door anyway, because the keys to the front door were taken from somebody else.

Why behavioral detection mattered

There's a recurring pattern across the incidents we get pulled into: the perimeter doesn't get breached anymore, the legitimate infrastructure gets abused. That's the shape this incident took.

When the threat actor's session is authentic (real credentials, real account, real device) the only signal left is behavior. What time does this account normally pull data? How much data does it normally pull? Where does it normally pull it from? A rules-based detection layer doesn't ask those questions; it asks "is this allowed?" and the answer was yes.

Behavioral detection asks the second question: is this normal? And it's only useful if a human is on the other end of the alert, awake at 4 a.m., willing to make the judgment call that "this doesn't seem right" is enough to act on. Tools alone aren't enough protection.

If this SOC wasn't in place, our client could have, I mean, they would have been encrypted, probably had ransom, may have had data deleted. It could have been catastrophic. But because of this SOC, it saved them.



— Farzad Vahid

What this means for any business

Three things this incident illustrates about where the threat is right now.

  1. Your supply chain is your perimeter. Every vendor whose product touches your network is a credential surface you don't fully control. When a manufacturer gets breached, their product's credentials become someone else's problem, yours. The fix isn't fewer vendors. The fix is detection that doesn't assume credentials are trustworthy.
  2. Behavioral detection is not optional anymore. Rules-based tools catch the attacks that match known patterns. The attacks that matter now don't match a known pattern; they match the shape of legitimate activity. Behavioral analysis is what catches the difference. Layered defense is the gap between an alert and a ransom note.
  3. The SOC is people. A 24/7 SOC is humans monitoring your network, making judgment calls about anomalies a tool surfaces. The tool flagged the timing. The analyst decided the timing mattered. That's not a feature you buy off a checkbox. It's a discipline somebody has to be running every night while your network is quiet.

The questions worth asking your current security stack: Who's reading the alerts at 4 a.m.? What does behavioral detection look like in your stack, not in the brochure, but in the actual rule set running tonight? If a vendor in your supply chain had a credential leak last quarter and you didn't know about it, would anything in your environment notice the credentials walking back in?

Find out what's exposed before someone else does

Most environments we walk into have at least one gap that would let an attacker with valid credentials operate quietly. We've already uncovered hundreds of critical issues for other clients with our free vulnerability scan: MFA gaps, missing behavioral detection, unmonitored endpoints, supply-chain exposures the team didn't know they had.

If you're not sure what a threat actor would find inside your network right now, book a free vulnerability scan. Thirty minutes. No commitment. We'll show you what's exposed before the 4 a.m. download is yours.

Fornida

Related reading

How RPM Stopped an $85,000 Wire Fraud Attempt After a Phishing Breach
CASE STUDY
How RPM Stopped an $85,000 Wire Fraud Attempt After a Phishing Breach
A financial firm wiring hundreds of millions a year had no MFA — what we found, what we deployed
ARTICLE
A financial firm wiring hundreds of millions a year had no MFA — what we found, what we deployed
HIPAA risk assessment for small practices: what a six-doctor optometry office taught us
ARTICLE
HIPAA risk assessment for small practices: what a six-doctor optometry office taught us