When IT teams discuss ransomware protection, Toronto small businesses come up consistently — and for good reason. Small businesses are the most common ransomware target by volume. Not enterprises. Not governments. Small businesses — specifically companies in the 10-to-50-employee range, which is exactly the size of most of the businesses we support across the Greater Toronto Area.

The reason is economics. Attackers aren’t romantic about their work. They run a volume operation, and a 22-person Toronto company sits in the sweet spot: enough revenue to be worth attacking, no dedicated security team to push back, and a publicly traceable footprint that takes about 40 minutes to research using nothing but free tools.

What follows is a step-by-step walkthrough of how that attack unfolds, written from the attacker’s perspective. The company in this account is composite, but every method described is accurate to current threat intelligence. After the walkthrough, we’ll cover the five specific controls that would have stopped it — controls that come bundled with tools most Toronto small businesses already pay for.


Monday: How I Picked You

I work regular hours and run a small-volume operation. My spreadsheet has about 40 prospects per month, and I prefer businesses between 10 and 50 staff.

Large enterprises have security teams, incident response contracts, and lawyers who make recovery expensive on my end. Sole traders rarely have enough at stake to bother. A 22-person commercial services firm sits in the right zone: payroll, customer database, project files, supplier relationships, and an owner who will pay to get it all back. The return per hour is better at this size than at either extreme.

I didn’t find you through a breach or a tip. I found you on a public business records portal. State and provincial registries, federal contract awards, and business licensing databases publish enough detail to identify your company, look up your name, estimate your revenue, and identify the most useful person inside the business. One search told me your company name, your registered agent, the contract value of a recent job, and the named contact on the submission.

The fact that nothing has gone wrong yet is the strongest signal I get. A clean record tells me your credentials are probably still valid, your staff hasn’t been trained to notice anything, and nobody has had a reason to change a password lately.


Tuesday: Building Your Org Chart for Free

I spend about 40 minutes researching your company today. LinkedIn gives me eight of your current employees with their job titles. Your office manager has been there six years and lists “accounts payable, payroll, and supplier invoicing” in her profile summary. Your second admin joined 14 months ago.

Public business filings confirm your registered company name. A “meet the team” post from two years ago on your Facebook page lists first names and photos. One of the commenters shares your surname.

I now know who handles your money, what their name is, how long they’ve been there, and what software they probably use (I’ll check your job ads on Indeed for “experience with QuickBooks or Sage”). Most importantly, I know who has the authority to approve a payment without a second signature.

That person is my primary target. You’re harder to reach and probably more cautious. Your office manager has system access, handles supplier payments, and is busy enough that one more email in her inbox doesn’t get scrutinized.

I haven’t spent a dollar yet.


Wednesday: I Bought Your Credentials for $14

Stealer logs are credential packages harvested by infostealer malware that infected someone’s personal device, often months or years earlier. The malware records every username and password typed into the machine, then bundles the data for sale. Telegram channels and underground forums let buyers search by company email domain.

I search for your domain. Two results come back. One is your office manager’s work email, with a password that looks like it was saved in her browser. The other is a personal Gmail that appears to belong to a family member, probably from a shared home network.

I pay $14. It takes four minutes.

Your office manager’s password follows a pattern: a pet’s name, a year, and an exclamation mark. It appeared in a credential dump from a retail loyalty program breach three years earlier. It hasn’t been changed since.

Your family member’s credentials are more useful than they look. The same password, with minor variations, shows up across a streaming service and your company’s Microsoft 365 login. It works. The only thing standing between me and the inbox is the second factor.

Total spend: $14.


Thursday: Getting Past Your MFA

Multi-factor authentication stops a lot of attacks. But the implementation matters more than the checkbox.

Simple push-notification fatigue won’t work against your office manager. Microsoft enabled number matching by default for Microsoft Authenticator in May 2023, which means she’d have to type a code from her screen rather than just tap Approve. Push bombing fails against that configuration.

What still works is adversary-in-the-middle (AiTM) phishing. I send an email designed to look like a routine Microsoft 365 password-reset notification, referencing the actual breach her credentials appeared in. The link takes her to a page that mirrors the real Microsoft sign-in screen exactly — except it’s a proxy I control.

When she enters her password and approves her MFA prompt, my proxy forwards both to the real Microsoft login server. Microsoft validates the credentials, issues a session token back to my proxy. I capture the token. She sees a normal login experience, then a “password updated successfully” message.

I’m now signed in as her. The MFA challenge succeeded. Microsoft sees a valid authenticated session and has no reason to doubt it.

By Thursday night, I’m inside her Microsoft 365 account. I set up an inbox forwarding rule so her emails copy to an address I control — silently, without notifying her.

Then I wait.


Friday 2:47pm: Why I Waited 36 Hours Before Encrypting

I spend 36 hours reading email before I encrypt anything. That dwell time is how I size the ransom correctly.

In those 36 hours, I find your cyber insurance policy attached to an email from your broker — a cyber liability sublimit of $250,000. A bank reconciliation your office manager sent you two weeks ago shows your business account at around $180,000 at month end. Your customer list sits in a quote template she emailed to herself. A message thread with a project manager mentions a job starting in three weeks with a hard deadline you can’t afford to miss.

I set the ransom at $65,000 in cryptocurrency. Low enough that you’ll pay rather than fight. High enough to be worth my time. Well within what I know you can access.

I deploy the encryption payload at 2:47pm on Friday. The timing is deliberate. Your bookkeeper finishes at 3pm on Fridays — I know this from out-of-office replies in the forwarded emails. You’re on a job site, calendar synced to the shared inbox. The person most likely to notice something wrong is almost gone, and the person with decision-making authority is unreachable.

By the time anyone understands what happened, it’s Friday evening. Every file on your shared drive is encrypted. A ransom note sits on every screen in the office.

Total cost to me: $14 in credentials and about six hours of work spread across the week.


Ransomware Protection for Toronto Businesses: Five Controls That Would Have Stopped This Attack

The attack worked because five ordinary controls weren’t in place. None of them were expensive. Most were already bundled into tools you already pay for.

1. The credential purchase on Wednesday.

HaveIBeenPwned is free. Microsoft Entra password protection can detect and block reused or commonly compromised passwords across your accounts. Enforcing unique passwords per account — through a password manager and Entra’s policies — makes a $14 credential package worthless.

At EB Solution, we enforce password manager adoption and Entra password protection for every Microsoft 365 client we manage in Toronto. It’s a configuration change, not a new purchase.

2. The MFA bypass on Thursday night.

Microsoft already blocks the simpler push-bombing attack. The current dominant bypass is AiTM phishing. Defences include phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a compliant or hybrid-joined device, and Microsoft Defender for Office 365’s anti-phishing protection. Any one of these would have either prevented the session token capture or made the captured token unusable from an unfamiliar IP.

3. The inbox forwarding rule.

Microsoft 365 allows admins to block external email forwarding rules at the tenant level. With that block in place, the 36-hour email-reading period that let me size the ransom correctly simply doesn’t happen. We check this setting in every tenant we audit. It takes about 10 minutes to verify and close.

4. The 36-hour dwell time.

Microsoft Defender for Business — included in Microsoft 365 Business Premium — generates an alert when a new inbox forwarding rule is created. If someone had been monitoring those alerts, I would have been detected Thursday night, not Friday afternoon. For many Toronto small businesses, the tools are already running and generating alerts that nobody is watching.

5. The public business records.

You can’t unpublish a provincial contracting registry or a federal contract award. What you can control is what your team posts about their specific responsibilities. Your office manager’s LinkedIn profile listed her financial responsibilities in enough detail to make her the obvious target. That’s worth a conversation with your team — framed as practical awareness, not a restriction.


Three Questions to Send Your IT Provider

These questions cover most of where the example attack failed. Each corresponds to a control bundled with tools your business most likely already pays for.

  1. Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins?
  2. Is external email forwarding blocked at the tenant level?
  3. Are our security alerts going somewhere, and is someone reviewing them?

If your current IT provider can’t answer all three with specifics, that’s worth knowing. Effective ransomware protection for Toronto businesses doesn’t require a new security budget — it requires someone to verify the settings on tools you’re already paying for. Our team at EB Solution can audit your Microsoft 365 tenant and give you a plain-English answer to all three, usually within a single working day.

Toronto businesses can’t control which ransomware group is active this month. But the controls that stop the attack described above will stop the next variation too — because the fundamentals don’t change.


Article FAQs

Do hackers really target small businesses?

Yes. Most ransomware operations target small and mid-sized businesses because the ratio of payout potential to defensive resources is better than at either end of the size spectrum. The volume sweet spot is roughly 10 to 50 staff — enough assets worth encrypting, but no dedicated security team defending them. Verizon’s annual Data Breach Investigations Report has confirmed this pattern consistently for years. Toronto businesses are not exempt simply by virtue of being Canadian.

What is adversary-in-the-middle (AiTM) phishing?

AiTM phishing is a technique where the attacker hosts a proxy page that mirrors a real login screen — Microsoft 365, Google Workspace, a banking portal. When the user enters credentials and approves their MFA prompt, the proxy captures the resulting session token. The legitimate service treats the login as successful, but the session token ends up in the attacker’s browser. AiTM has become the dominant credential-based attack vector against Microsoft 365 tenants since Microsoft made number matching the default for push notifications.

What is a stealer log?

A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The logs include browser-saved passwords, session cookies, and stored authentication tokens. They’re sold on underground markets — typically $10 to $20 per package — and searched by domain name. Infostealers typically infect personal computers through pirated software or malicious browser extensions.

How much does it cost an attacker to compromise a small business?

In the walkthrough above, the total cost was $14 for stolen credentials and about six hours of work. The exact figure varies, but the threshold for this type of attack sits well under $100. The low cost of entry is why small businesses are targeted at volume — the attacker doesn’t need a high success rate for the operation to be profitable.

Are there free tools that would have stopped this attack?

Several of the controls described above come bundled with Microsoft 365 Business Premium licences. External forwarding restrictions and Defender for Business alerts are configuration changes, not new purchases. HaveIBeenPwned is free. Phishing-resistant MFA hardware keys are a small per-user cost relative to a ransomware payout. The gap in most Toronto small businesses isn’t budget — it’s whether anyone is actually reviewing the alerts the tools are already generating. For a no-obligation review, reach out to EB Solution.


David Chen is a senior IT consultant at EB Solution’s Toronto office, where he works with small and mid-sized businesses across the GTA on Microsoft 365 security, managed services, and incident response planning.

Watch Our Latest Tech Videos From EB Solution

Call Now