How Ascent Blocked a Storm-1811 Attack with Real-Time Detection and Threat Intel 

Client: Large International Manufacturer 

Industry: Manufacturing 

Solution: Managed Microsoft Security Services 

Focus Areas: Real-Time Detection, SOC Response, Threat Intelligence Integration 

Executive Summary 

In early 2025, a sophisticated cybercriminal group known as Storm-1811 launched a wave of targeted attacks across industries—leveraging Microsoft Teams, social engineering, and remote-access tools to bypass traditional defenses. As many organizations struggled to keep pace, our client remained secure, thanks to proactive and precise intervention from Ascent Solutions’ Security Operations Center (SOC) and Cyber Threat Intelligence (CTI) team. 

This case study outlines how Ascent’s modern SOC model delivered real-time detection, transparent response, and operationalized threat intelligence—transforming a high-risk scenario into a blueprint for CTEM-aligned security success. 

The Threat: Storm-1811 and the Rise of Microsoft Teams-Based Attacks 

Storm-1811 (also known as Curly Spider or STAC5777) is a financially motivated cybercriminal group responsible for deploying ransomware strains like Black Basta and Cactus. In 2024–2025, the group innovated their intrusion methods by: 

• Using open-source tools like TeamsEnum and TeamsPhisher to target Microsoft Teams users 
• Impersonating internal IT teams using fake tenants labeled “Help Desk” or “IT Support” 
• Abusing Quick Assist and Remote Monitoring and Management (RMM) tools to escalate privileges delivering phishing messages and payloads directly into Teams chats—bypassing traditional email filtering 

This low-friction, high-reward tactic exploited under secured communication channels and untrained users, making speed and visibility critical for defense. 

Timeline of Activity 

Storm-1811 targeted our client as early as April 2024 via vishing attempts. Ascent’s CTI team immediately placed the client on high alert and began continuous monitoring. 

• Apr 5, 2024 Initial Storm-1811 vishing attempt against our client (unsuccessful) 
• Mar 10, 2025 Ascent CTI links client to targets exposed in Black Basta leak logs 
• Apr 15, 2025 Microsoft Defender generates multiple alerts indicating possible malicious behavior 
• Apr 15, 2025, 2:50 PM EST Ascent’s SOC isolates the affected device—33 minutes after initial Defender alert
• Apr 16, 2025 Cisco Secure Endpoint flags suspicious payload execution 

Ascent’s Response: A Model for Modern, Aligned Security 

Ascent’s engineering team rapidly built and deployed a custom Storm-1811 detection rule, focused on Quick Assist misuse and abnormal RMM behavior. This was validated in our client’s environment within hours, providing real-time telemetry correlation across Microsoft Defender, Sentinel, and endpoint tools. 

Threat Intelligence, Operationalized 

Ascent’s approach to threat intelligence wasn’t reactive—it was anticipatory and actionable. Even before Storm-1811 began leveraging tools like TeamsEnum and TeamsPhisher, Ascent’s CTI team had already advised our client to lock down Microsoft Teams and disable Quick Assist where it wasn’t supporting a specific business need. These early recommendations significantly limited the attacker’s potential avenues for intrusion and gave the SOC critical lead time to detect and triage emerging activity. Key CTI actions included: 

• Mapping IOCs and TTPs from Storm-1811 as they evolved 
• Partnering with detection engineers to translate threat intel into tuned, high-value detections 
• Proactively hunting across our client’s and other customer environments for early signs of compromise 
• Delivering regular executive briefings with forward-looking guidance, tailored recommendations, and scenario-based threat modeling 

This tight integration between intelligence and operations helped our client stay ahead of a sophisticated adversary—transforming proactive guidance into real-world protection. 

SOC Execution: Precision and Transparency 

Ascent’s Security Operations Center (SOC) didn’t wait for a confirmed breach — it moved with purpose at the earliest signs of suspicious behavior. When Storm-1811 activity was detected, the SOC’s response was swift, coordinated, and aligned with best-in-class incident handling standards. Key actions included:

• Rapid containment: The impacted device was isolated within 33 minutes, limiting any potential lateral movement or persistence attempts. This decisiveness not only prevented escalation but demonstrated how fast containment capabilities can neutralize emerging threats. 
• Detailed documentation: Every investigative step was logged and mapped back to relevant Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and Microsoft Defender telemetry. This level of granularity ensured clear audit trails, supported root cause analysis, and enabled our client’s internal teams to follow the response with confidence. 
• Confidence through clarity: One of the SOC’s most powerful messages was, “No findings is still a finding.” Instead of treating the absence of evidence as an endpoint, Ascent framed it as a maturity milestone—proof that proactive controls (like disabling Quick Assist and hardening Teams) worked as intended. This transparency reassured our client’s leadership and reinforced trust in the CTEM-aligned detection framework.

By executing with speed, precision, and full visibility, Ascent’s SOC helped our client avoid not just damage, but doubt—delivering a security outcome rooted in control, clarity, and confidence. 

Outcome: No Breach, Higher Trust, Broader Resilience 

Ascent’s swift, coordinated response ensured that the client experienced no breach—with no ransomware deployed and no evidence of lateral movement. The 33-minute containment window minimized exposure and significantly reduced risk. Throughout the incident, Ascent maintained clear, frequent communication with executive stakeholders, reinforcing confidence in the SOC’s capabilities. Finally, the detection logic and response methodologies developed during this engagement were shared across Ascent’s broader customer base, increasing resilience for other organizations facing similar threats.

Why It Matters: CTEM in Action 

This engagement isn’t just a success story—it’s a blueprint for how Continuous Threat Exposure Management (CTEM) should function in the real world. Our client’s near-miss with Storm-1811 showcased how proactive defense, not reactive triage, is what separates modern security operations from legacy models. At the heart of CTEM is the ability to reduce exposure—not just detect threats. Ascent’s SOC and Threat Intelligence teams demonstrated how that vision becomes reality through execution. Here’s what made the difference: 

• Detection Engineering with Precision: Ascent didn’t rely on default detections. The team engineered tailored rules aligned with Storm-1811’s tactics, techniques, and procedures (TTPs), enabling the SOC to identify activity that many platforms would miss. 
• Operationalized Threat Intelligence: Intelligence wasn’t just distributed—it was embedded into detection logic, threat hunting, and customer recommendations. This integration enabled faster, more targeted responses across multiple clients. 
• Real-Time Containment and Response: With a 33-minute containment window, the SOC moved faster than most industry averages. That speed wasn’t luck—it was the result of mature processes, skilled analysts, and optimized Microsoft Defender telemetry. 
• Executive-Level Transparency: From early warning to post-incident reporting, Ascent delivered clear, concise communication to stakeholders. The message wasn’t just “we didn’t find anything”—it was “here’s why your controls worked, here’s what we saw, and here’s what to improve next.” 

This approach represents CTEM in action: measurable, repeatable, business-aligned outcomes powered by a modern SOC framework. Unlike traditional “detect-and-triage” models that drown teams in alerts, Ascent delivers signal over noise—ensuring clients act on what matters, when it matters. 

Final Word 

“Storm-1811 was fast and innovative—but we were faster. Our ability to move from intelligence to action is what protected our client and strengthened their trust in our team.”

—, Cyber Defense Lead, Ascent Solutions

Ready to Upgrade Your SOC? 

Let’s talk about how Ascent can modernize your detection strategy and reduce risk—before an attacker makes their move. Contact us today for a CTEM-readiness conversation.