The most dangerous phase of a cyberattack is not the breach itself. It is the period before it — the days, weeks, or months during which an attacker is inside the network, moving quietly, mapping systems, identifying valuable data, and preparing for the final action that will make the intrusion visible. Security researchers call this the dwell time: the average time between initial compromise and detection. Industry data consistently puts this figure at weeks to months for small and mid-sized businesses, which typically lack the monitoring infrastructure to detect intrusions that are specifically designed to avoid triggering obvious alarms.
This article is a practical guide to the warning signs that a business is being watched, probed, or has already been compromised — the specific, observable signals that precede most major attacks and that, if recognized early, provide the opportunity to intervene before the attack reaches its destructive conclusion. Understanding these signals does not require a security operations center or an enterprise-grade monitoring platform. It requires knowing what to look for, where to look, and what normal looks like — so that abnormal becomes visible before it becomes catastrophic.
Part I: Understanding the attack lifecycle — why early detection is possible
Attacks against business networks do not happen in a single instantaneous event. They follow a consistent lifecycle — a sequence of phases that each leave observable traces, provide detection opportunities, and, if identified, allow defenders to interrupt the attack before it reaches its most damaging stage. Understanding this lifecycle is the foundation for understanding what to watch for and why each warning sign matters.
The first phase is reconnaissance: the attacker gathers information about the target — its public-facing systems, its employees, its technology stack, its partners and vendors. Much of this reconnaissance is passive and difficult to detect, using publicly available information from the company website, LinkedIn profiles, domain registration records, and job postings. But active reconnaissance — port scanning, service enumeration, credential testing against login portals — leaves traces in web server logs, firewall logs, and authentication records that are detectable to an observer who knows what to look for.
The second phase is initial access: the attacker exploits a vulnerability, tricks an employee, or uses compromised credentials to gain their first foothold inside the network. This phase often leaves the clearest forensic trail — an unusual login from an unrecognized location, a phishing email that was clicked, a new process executing on an endpoint that has never run before.
The third phase is persistence and lateral movement: having gained initial access, the attacker establishes mechanisms to maintain access even if the initial entry point is closed, and begins moving from the initially compromised system toward higher-value targets — the file server, the accounting system, the backup infrastructure. This phase is typically the longest, the quietest, and the most detectable for an organization with basic monitoring in place.
The fourth phase is the objective: data exfiltration, ransomware deployment, financial fraud, or whatever the attacker’s specific goal requires. By this phase, detection and containment are significantly more expensive and disruptive. Every warning sign described in this article is an opportunity to detect the intrusion before this phase begins.
“Attackers who have entered a network quietly are not invisible — they are simply unobserved. The difference between a business that detects an intrusion in its early stages and one that discovers it after the ransomware deploys is not luck. It is the presence or absence of someone paying attention to the right signals.”
Part II: External reconnaissance signals — when attackers are mapping you from the outside
Before an attacker attempts to compromise a business, they typically spend time gathering information about it from the outside — scanning public-facing systems, testing login portals, and probing for vulnerabilities. These external reconnaissance activities leave detectable traces that serve as early warning of elevated attacker interest.
Unusual spikes in website or login portal traffic
Automated scanning tools generate traffic patterns that differ from legitimate user behavior in recognizable ways. A sudden spike in traffic to login pages — particularly outside business hours, from unusual geographic locations, or with a high ratio of failed attempts to successful ones — is a strong indicator of automated credential testing or brute-force activity. Web server logs and the traffic analytics provided by most web hosting platforms will show this pattern clearly to anyone reviewing them. A company website receiving 200 login attempts per hour from IP addresses in countries where the business has no customers is not experiencing a surge in legitimate interest.
Port scan patterns in firewall logs
Port scanning — the systematic probing of a range of network ports to identify which services are running and potentially exploitable — is one of the most common pre-attack reconnaissance activities. Most business firewalls log blocked connection attempts, and a pattern of sequential or distributed port probing from a single IP address or a coordinated range of addresses indicates active mapping of the business’s network perimeter. This is not evidence of an imminent attack — port scanning is conducted continuously against virtually every internet-connected business — but a significant increase in scan frequency or a focused pattern targeting specific services the business is known to run warrants closer attention and, if possible, blocking of the source IP ranges.
Domain and email reconnaissance indicators
Attackers preparing a phishing campaign or business email compromise attempt often conduct reconnaissance on the target’s email infrastructure: identifying the email addresses of key employees, the mail server configuration, and whether the domain has DMARC enforcement that would block spoofed emails. Tools that monitor for typosquatted domains — domains registered with names similar to the business’s domain, such as companyname-invoice.com or companynamepayments.com — can provide early warning of a phishing infrastructure being prepared to target the business or its customers. Services such as dnstwist, PhishTank monitoring, and domain alert services from registrars provide this visibility at low or no cost.
Part III: Account and authentication warning signs — the most reliable early indicators
Once an attacker has identified a target and obtained or guessed credentials — through phishing, credential stuffing, or purchase on criminal marketplaces — they will attempt to use those credentials to access business systems. Account and authentication activity provides the clearest, most actionable early warning signals of an active compromise attempt or successful intrusion.
Logins from unexpected geographic locations
A legitimate employee’s account logging in from a country where the business has no operations, or from a city where the employee is not known to be traveling, is one of the most reliable indicators of credential compromise. Modern identity platforms — Microsoft Entra ID (formerly Azure AD), Google Workspace, and most enterprise SSO systems — provide geographic login data and can generate automatic alerts for “impossible travel” events: logins from two different countries within a timeframe that makes physical travel impossible. If an employee’s account logs in from Chicago at 9 AM and from Moscow at 10 AM, the Moscow login is not the employee. Reviewing the geographic login data for administrator and privileged accounts weekly is a low-effort, high-value monitoring practice that catches compromised credentials early.
Login attempts outside normal hours
For most businesses, legitimate user activity follows predictable patterns: logins occur during business hours, from recognized devices, in recognized locations. Login attempts at 3 AM local time, from unfamiliar devices, against accounts that have no reason to be active outside business hours, are a reliable indicator of automated credential testing or an attacker working in a different time zone. Identity platform logs make this pattern immediately visible. Establishing a baseline of normal login hours for the organization — and flagging deviations from that baseline — requires minimal technical sophistication and provides significant detection value.
Repeated failed authentication attempts followed by success
Brute-force and credential stuffing attacks generate a characteristic pattern: a large number of failed login attempts against a specific account, followed by a successful login when the correct password is found or guessed. Most identity platforms log failed authentication attempts and can be configured to lock accounts after a threshold of failures — typically five to ten — which limits the effectiveness of automated guessing attacks. But the more important signal is the sequence itself: an account that generates fifty failed login attempts over two hours and then successfully authenticates warrants immediate investigation, regardless of whether the final login appears to use the correct credentials. The pattern indicates that the successful login may be from the attacker, not the account owner.
New administrator or privileged accounts appearing unexpectedly
Attackers who have successfully compromised a low-privilege account will typically attempt to escalate to administrator access — creating new administrator accounts, modifying existing account permissions, or exploiting vulnerabilities that grant elevated privileges. The appearance of a new administrator account that was not created through the organization’s standard provisioning process is a clear indicator of active intrusion. Administrator accounts should be inventoried and any unrecognized account investigated immediately. Automated alerts for new privileged account creation — available in most identity management platforms — provide real-time notification of this specific activity.
Part IV: Network behavior anomalies — what unusual traffic patterns reveal
Inside the network, an attacker who has established initial access will begin moving laterally — connecting to systems they have not previously touched, scanning internal network segments, and eventually reaching the systems and data that are their actual target. This movement generates network traffic patterns that differ from legitimate user activity in ways that are detectable with appropriate monitoring.
Internal port scanning and lateral movement traffic
When an attacker begins mapping the internal network from a compromised endpoint, they typically run tools that generate rapid, sequential connection attempts to other internal IP addresses — the same port scanning pattern described in the external reconnaissance section, but now originating from inside the network. A workstation that suddenly begins attempting to connect to dozens of internal IP addresses on management ports — RDP on port 3389, SMB on port 445, SSH on port 22 — is exhibiting the behavioral fingerprint of lateral movement. This is not how legitimate user workstations behave. Network monitoring tools, even basic ones available at small-business price points, can detect and alert on this traffic pattern.
Unusual outbound data volumes
Data exfiltration — the transfer of stolen data from the compromised network to an attacker-controlled destination — generates outbound network traffic that is often substantially larger than normal. A workstation or server that transfers gigabytes of data to an external destination outside business hours, or that communicates with IP addresses or domains that have no legitimate business relationship with the organization, is exhibiting behavior consistent with data exfiltration. Reviewing outbound traffic volumes and destinations — available in the logs of most business-grade firewalls — identifies this pattern. Organizations with cloud-based data repositories should also monitor for unusual bulk downloads from cloud storage, which attackers increasingly target as a faster exfiltration path than the corporate network.
Communication with known malicious infrastructure
Malware installed on a compromised endpoint typically communicates with attacker-controlled command and control infrastructure — servers that issue instructions to the malware and receive exfiltrated data. These command and control servers are frequently catalogued in threat intelligence feeds, and DNS queries or HTTP connections to known malicious domains are detectable signals of active malware infection. DNS filtering services — including Cloudflare Gateway, Cisco Umbrella, and DNSFilter — block connections to known malicious domains and log all DNS queries, providing both a preventive control and a detection capability for command and control communication. These services start at minimal cost for small businesses.
Unexpected processes running on servers or workstations
Endpoint detection and response tools — described in the previous article in this series — monitor the processes running on protected devices and flag those that deviate from expected behavior. A server running a remote access tool that IT did not install, a workstation executing a scripting engine that the user’s role has no reason to use, or a process attempting to modify system files or disable security software — these are behavioral indicators of compromise that EDR tools surface automatically. For organizations without EDR, a periodic manual review of running processes on servers and administrator workstations, compared against a known-good baseline, provides a lower-fidelity version of the same detection capability.
Part V: Email and communication warning signs
Email is the primary attack vector for most business compromises, and it is also one of the richest sources of early warning signals. The indicators below suggest active targeting, active compromise of an email account, or the early stages of a business email compromise operation.
Employees reporting unusual emails targeting the business
When multiple employees receive phishing emails that reference the business by name, mention specific colleagues, include realistic-looking invoices with the company’s branding, or demonstrate detailed knowledge of the organization’s internal structure, this specificity indicates targeted reconnaissance rather than generic spam. Generic phishing campaigns use mass-produced lures with no specific targeting. Spear phishing — targeted phishing using gathered intelligence — requires prior research and signals elevated attacker interest in the specific organization. Employees should be trained and encouraged to report suspicious emails to a designated security contact, and patterns of reports should be reviewed to identify campaigns.
Email rules or forwarding configurations that did not exist before
A common technique used by attackers who have compromised an email account is to create inbox rules that silently forward copies of all incoming email — or all email containing specific keywords like “invoice,” “payment,” or “wire transfer” — to an external address controlled by the attacker. This allows long-term surveillance of financial communications and the gathering of context needed to execute business email compromise fraud convincingly. These rules are typically created silently and are invisible to the account owner unless they specifically review their inbox rule configuration. IT administrators should periodically audit email forwarding rules for all accounts — particularly executives and finance personnel — and immediately investigate any rule that forwards email to an external address the account owner did not configure.
Sent emails the user did not send
When an attacker accesses an email account and uses it to send phishing emails to the victim’s contacts — a technique that increases the credibility of the phishing attempt by appearing to come from a trusted sender — the evidence appears in the account’s sent folder. Recipients who respond to these unexpected emails and question the sender create a second detection signal. Any report from a contact that they received an unexpected email from an employee — particularly one requesting unusual actions, containing links, or requesting credential information — should be treated as evidence of account compromise until investigation confirms otherwise.
Vendors or partners reporting unusual contact from the business
Business email compromise attacks frequently involve impersonating the target organization’s employees to deceive vendors and partners — requesting changes to payment banking details, authorizing unusual transactions, or requesting sensitive information. When a vendor calls to verify an unusual request that appeared to come from the business, that call is a detection signal. Organizations should establish a clear verification protocol with financial counterparties — any change to payment instructions must be verified by a separate, out-of-band phone call to a known contact number — and any report of unusual communication from a partner should trigger an immediate investigation into whether an account has been compromised.
Part VI: Endpoint and system behavior indicators
The devices inside the network — workstations, servers, and mobile devices — exhibit specific behavioral changes when they have been compromised or when malware is active on them. These changes are observable without specialized tools, though detection is more reliable with EDR in place.
Unexplained performance degradation
Malware — particularly cryptocurrency mining malware, which uses the compromised system’s processing power to generate cryptocurrency for the attacker — causes sustained, unexplained increases in CPU and memory utilization. A workstation that was previously responsive and now runs slowly, with consistent high CPU usage that does not correspond to any running business application, warrants investigation. Cryptocurrency miners are among the most common opportunistic malware deployed against compromised business systems, because they generate ongoing revenue for the attacker with minimal risk of immediate detection. They are also among the easiest to detect through basic system performance monitoring.
Security software being disabled or generating new alerts
Sophisticated malware frequently attempts to disable security software — antivirus, EDR, endpoint firewall — as one of its first actions after execution, because active security tools are the primary mechanism for detecting and removing it. If endpoint security software on a workstation or server has been disabled, uninstalled, or is generating alerts that it cannot update its definitions or communicate with its management console, this warrants immediate investigation. Security software does not disable itself under normal conditions. Any unexplained change in the status of security tools should be treated as a potential indicator of active compromise.
New software or services installed without IT knowledge
Remote access tools installed by attackers — remote desktop software, reverse shells, legitimate remote monitoring tools repurposed for malicious use — appear as new software installations or new running services on compromised systems. A periodic audit of installed software on servers and administrator workstations, compared against an approved software inventory, will surface unauthorized installations. For organizations with mobile device management deployed, MDM tools can enforce and report on the software inventory of all managed devices automatically. Unrecognized remote access software on any system should be treated as evidence of compromise until investigation confirms otherwise.
Files being accessed or modified at unusual times
File access logs — available on Windows Server through file auditing policy and on most NAS devices — record when files are opened, modified, copied, or deleted, and by which account. A pattern of file access outside business hours, particularly across a large number of files in sequence — consistent with automated bulk copying rather than a human browsing files — is a strong indicator of data exfiltration in progress. Similarly, mass file modifications — particularly changes to file extensions or the appearance of ransom note files in directories — are the earliest observable indicators of active ransomware encryption. Organizations that monitor file access logs on systems containing sensitive data detect both of these patterns in time to respond.
Part VII: What to do when warning signs appear — the immediate response protocol
Detection is only valuable if it triggers an appropriate response. When warning signs consistent with surveillance, active intrusion, or compromise are identified, the response must be immediate, measured, and guided by a clear protocol established before the incident — not improvised under pressure in the moment.
Do not immediately shut everything down
The instinct to respond to a suspected intrusion by immediately powering off affected systems is understandable but often counterproductive. Shutting down a compromised system destroys the volatile memory evidence — running processes, network connections, encryption keys in memory — that forensic investigators need to understand what happened and how far the intrusion extended. Unless ransomware encryption is actively in progress and shutdown is the only means of stopping it, affected systems should be isolated from the network — disconnected from the internet and from other internal systems — but kept powered on to preserve forensic evidence until a qualified incident responder can begin investigation.
Isolate, do not delete
Compromised accounts should be disabled, not deleted. Suspicious files should be quarantined, not removed. Affected network segments should be isolated, not wiped. Every piece of evidence that is deleted or overwritten narrows the investigation team’s ability to understand the scope of the intrusion, identify what was accessed, and determine whether all attacker access has been eliminated. Preservation of evidence is a legal consideration as well as a technical one — in regulated industries, evidence destruction can create compliance exposure that compounds the damage of the incident itself.
Engage qualified assistance immediately
For most small and mid-sized businesses, a confirmed or strongly suspected intrusion exceeds the internal team’s capacity to investigate and remediate without external support. Engaging a qualified incident response firm — or the incident response services provided by the business’s cyber insurer — early in the response improves both the technical outcome and the legal and regulatory defensibility of the response. Cyber insurance policies typically include incident response resources as a covered benefit; the insurer should be notified of a potential incident as early as possible to activate these resources and ensure that the response is conducted in a manner that preserves coverage.
Notify stakeholders according to the incident response plan
Every business should have a documented incident response plan that specifies who is notified of a potential security incident, in what order, and with what information. At minimum, this plan should identify the internal decision maker responsible for declaring an incident, the external resources available to respond, the legal counsel to be engaged for regulatory notification assessment, and the communication protocol for informing employees, customers, and partners as appropriate. Organizations that develop this plan before an incident occurs respond faster, more coherently, and with substantially less confusion and secondary damage than those improvising the notification process under active incident pressure.
Part VIII: Building the monitoring foundation — what small businesses can implement today
The detection capabilities described throughout this article do not require a dedicated security operations center or enterprise-grade monitoring infrastructure. The following monitoring practices, each implementable with widely available tools at minimal cost, provide a meaningful early warning capability for a business of any size.
Enable and review authentication logs weekly. Every identity platform — Microsoft 365, Google Workspace, Okta — provides detailed authentication logs showing login times, locations, devices, and outcomes. A weekly fifteen-minute review of these logs for administrator accounts and finance personnel, looking for geographic anomalies, unusual hours, and failed-then-successful patterns, catches the most common credential-based intrusion indicators without requiring any additional tooling.
Configure alerts for high-priority events. Identity platforms and security tools can send email or SMS alerts when specific events occur: new administrator account creation, login from a new country, bulk email forwarding rule creation, MFA being disabled on any account. Configuring these alerts takes less than an hour and provides real-time notification of the highest-risk events without requiring anyone to review logs continuously.
Deploy DNS filtering. DNS filtering services block connections to known malicious domains and log all DNS queries across the network. The logs provide visibility into which devices are attempting to reach suspicious destinations — a strong indicator of malware infection. These services cost $1 to $3 per user per month and require only a DNS configuration change to deploy.
Monitor outbound traffic volumes on the firewall. Most business-grade firewalls provide traffic volume reporting by device and by destination. A monthly review of the top data consumers and the top external destinations — looking for unexpected spikes or unfamiliar destinations — provides a basic data exfiltration detection capability without dedicated network monitoring tools.
Establish a security incident reporting culture. Employees who know to report suspicious emails, unexpected login prompts, unfamiliar software appearing on their devices, or unusual system behavior — and who believe that reporting will be met with appreciation rather than blame — are the most cost-effective detection capability available to a small business. The human sensor network of an alert, trained workforce consistently detects threats that automated tools miss, and it costs nothing beyond the training investment already described.
Conclusion: Visibility is the prerequisite for defense
Businesses that are being watched are not defenseless — they are simply, in most cases, unaware. The warning signs described in this article are present in the vast majority of intrusions that eventually cause serious damage, detectable by any organization willing to pay attention to the right signals in the right places. The challenge is not technical sophistication. It is the discipline of establishing monitoring baselines, reviewing logs regularly, configuring alerts for high-priority events, and creating a culture in which employees feel responsible for reporting what they observe.
The business that catches an intrusion in its reconnaissance phase has time to close the door before the attacker enters. The one that catches it in the lateral movement phase has time to contain the damage before data is stolen or ransomware deploys. The one that discovers it when the ransom note appears on every screen has no options left except to respond to a fait accompli. The difference between these outcomes is not determined by the attacker’s sophistication. It is determined by whether anyone was watching.
Disclaimer: This article is intended for educational and informational purposes only. It does not constitute legal, compliance, or professional cybersecurity advice. Incident response requirements vary by jurisdiction, industry, and regulatory framework. Organizations experiencing a suspected security incident should engage qualified cybersecurity and legal professionals immediately.
We recommend checking out this article:
It’s a great follow-up if you want to keep exploring similar content and get more useful insights.