Case Study

[Client Name — Tennessee Accounting Firm]

A Knoxville CPA firm was one stolen session token away from a client-data breach. We rebuilt their Microsoft 365 tenant the right way — and made the renewal auditors smile.

Internal preview: this case study is a template placeholder. Edit src/app/(marketing)/case-studies/case-studies.ts to replace client name, quote, and metrics, then flip isPlaceholder: false.

Industry: Professional ServicesLocation: Knoxville, TNPublished: March 2026

Accounting firm working on a hardened Microsoft 365 environment

2 accounts

Active compromises found + contained in week 1

0 BEC

Successful email-compromise events in 90 days post-rebuild

Premium ↓

Cyber-insurance premium reduced at renewal

100%

Cyber-insurance questionnaire items passed

The challenge

What brought them to us.

The firm had grown to ~45 employees on a mix of on-prem Exchange and an early Microsoft 365 tenant configured by a previous IT vendor. MFA was inconsistent, admin accounts were shared, and three forwarding rules on executive mailboxes pointed to external Gmail addresses nobody could explain.

The firm's cyber insurance renewal questionnaire arrived with a list of required controls they couldn't truthfully answer yes to — including conditional access, EDR, managed SOC, and a tested incident response plan.

Partners were seeing a steady stream of external-sender BEC attempts impersonating the firm's tax partners to clients — a leading indicator that attackers had working credentials somewhere in the tenant.

The solution

What we actually did.

Emergency engagement: audited every mailbox rule, OAuth grant, and admin sign-in log. Found two compromised accounts with active attacker persistence — forced password reset, revoked all active sessions, removed rogue forwarding rules and OAuth apps within 24 hours.

Upgraded the tenant to Microsoft 365 Business Premium. Deployed conditional access (block legacy auth, require compliant device + phishing-resistant MFA for privileged roles), Microsoft Defender for Office 365, and Intune device management across all firm laptops.

Migrated residual on-prem Exchange data to the cloud tenant, decommissioned the on-prem server, and stood up immutable third-party M365 backup with 1-year retention and quarterly restore testing.

Deployed managed EDR and 24/7 human-led SOC across the environment, ran phishing-simulation training with every employee, and built an incident response runbook the partners signed off on.

Compiled the cyber-insurance renewal packet — line-by-line evidence answers for every control question — and joined the broker call to walk it through.

The result

The measurable outcome.

Cyber insurance renewed with a meaningful premium reduction vs. the prior year, a higher ransomware sublimit, and no pending questionnaire items flagged as findings.

No successful BEC incidents in the 90 days following tenant rebuild; SOC flagged and blocked two attempted account takeovers that would have succeeded against the previous configuration.

Partners spend zero time thinking about email security in their week and now get a one-page quarterly summary of incidents, patching status, and roadmap items.

“[Placeholder quote — replace with client's own words.] We were getting close to a breach and we didn't know it. Gravity found two compromised accounts the first week, cleaned everything up, and built us a tenant that actually meets what our insurance carrier is asking for. Renewal went from stressful to a 30-minute call.”

[Managing Partner — attribution TBD]Managing Partner, [Client Name — Tennessee Accounting Firm]

Services involved in this engagement

Cloud Solutions→Cybersecurity→Managed Services→

Have a similar problem? We’ve probably seen it.

Book a 30-minute call. No pitch deck, no pressure — just a conversation about what’s actually going on in your environment.

START A CONVERSATION