What do identity theft, WhatsApp, and a maliciously crafted Microsoft Word document have in common? To answer that, allow me to rewind a bit.

It’s been several years since the start of the COVID-19 pandemic, and pharmaceutical companies continue to face high pressure to secure their data as healthcare remains a prime target for organized cybercrime. The widespread shift to remote and hybrid work has led to the continued growth of cloud adoption across all industries, especially for healthcare organizations where there has been an increase in telemedicine and new remote work requirements.

With all eyes are still on healthcare, we’ve seen cyberattackers become even more creative when infiltrating organizations under the radar.

Enter: an attacker posing as a recruiter leveraging a fraudulent LinkedIn profile based off an actual person with an extensive background in recruiting. This threat actor contacts people with the lure of a lucrative job offer, establishing rapport with their target via WhatsApp over several days. Finally, the target receives an infected Word document that, upon opening, would provide the attacker with access to an organization’s system. This social engineering allowed hackers to target and compromise company staff, just like the unsuspecting Employee Zero at Sanofi, a multinational pharmaceutical company. This is where our story starts.

I had the privilege of sitting down with Jean-Yves Poichotte, Group Head of Cybersecurity at Sanofi, and Richard Webster, Head of Cyber Security Operations Center at Sanofi, to discuss how this attack unfolded and why partnering with Vectra was critical to preventing a data breach.
‍

"We have many vendors,” Jean-Yves said. “Rare are those which dedicate a certain level of partnership. Vectra and its team are bringing a partnership mindset.”

Adding value with Vectra

What happens when accounts are compromised, and an attacker infiltrates your organization through completely legitimate tools and processes? The malicious behavior of the attacker is hidden amongst the “normal” noise and doesn’t stand out with endpoint scans. In cases like this, endpoint detection and response (EDR) solutions have already been infected and can no longer combat the threat. This is precisely the problem that Sanofi solved with Vectra.  

We filled a specific gap in Sanofi’s security journey, giving them full visibility and coverage between their enterprise and cloud deployments including their AWS infrastructure. During red team testing, Sanofi required a solution that would detect attacks that bypass existing tools such as EDR and would be impossible to find in security information and event management (SIEM) systems.  

The Vectra Platform applies AI-derived machine learning algorithms to automatically detect, prioritize, and respond to in-progress cyberattack behaviors. Vectra AI provides high-fidelity visibility into the entire network and cloud, as well as all applications, operating systems, and devices, including bring your own device (BYOD) and Internet of Things (IoT).

This is why extending detection across every environment, including the cloud, was a core part of Sanofi’s strategy. As part of that effort, Sanofi leveraged Vectra AI to analyze behavior in their AWS environment — a focus that was reaffirmed with a renewed commitment to AWS coverage in 2024.  

Visibility into AWS proved essential. It enabled Sanofi to catch behaviors other tools had missed and respond in real-time before the attack could escalate. By surfacing signals directly from AWS infrastructure, the team could investigate activity that would have gone unseen by endpoint tools alone. This level of insight was critical in tracing the attacker’s movements and taking decisive action.

“We are long-standing AWS and Vectra customers. We rely on Vectra as an important component of our detect and response tool kit,” Jean-Yves explained, “Leveraged to monitor our enterprise network and our cloud management plane, Vectra’s ability to detect threats and its deep well of data for forensics and investigation bring context and make it a powerful capability. It brings critical visibility of attack behaviors across network, identity, and cloud. Specifically, we have seen, in aggressive red team testing, powerful cloud detection capabilities. And the instant investigation page shows all actions an account has taken across our tenant, an efficient investigation feature. In real and complex incidents, it brings enormous context.”

Vectra’s ability to deliver this type of coverage, plus the addition of AWS VPC Traffic Mirror data, makes it nearly impossible for attackers to circumvent. Prioritizing the highest-risk threats with a high degree of certainty enables a confident approach to automating threat surveillance. According to Richard, the Vectra technology is what allowed their organization to detect and shut down the attack.

NDR augments the SOC

Even though Sanofi’s security architecture is built to handle complex operations, this particular attack managed to evade the tools already in place. Richard disclosed, “I'm always telling my team that we need to build new detection nets all the time. We're adding layer after layer of detection nets, but only two of them worked for this attack." The two in question? Endpoint detection and response (EDR) and NDR.

When I asked Jean-Yves and Richard to choose between EDR and NDR, Richard said that both are critical to maintaining a secure environment. "For me, it isn't one or the other – I need both. I want as much visibility as possible, and I want to do deep forensics with EDR and NDR.” He shared how adversaries could compromise the endpoint device and disable the EDR solution, whereas attackers can’t do the same for NDR. “It's harder to defeat NDR,” he said.

While EDR is important is important for endpoints, NDR is critical to the network. Sanofi used Detect and Recall in tandem to detect threats and trace the attack progression. While Detect assisted in real time, Recall assisted the Sanofi team afterwards to conduct forensics. Richard noted, “In this particular attack, we could go into Recall and we could see line by line exactly what the share enumeration was. We could see the file opens, the file read, what the names of files were, we could see the bytes count.” Such complete visibility of the attack progression then educated and informed the team as they created detection frameworks to prevent similar tactics in the future.

Sanofi and Vectra: Better together

Jean-Yves, Richard, and I closed out by reinforcing the strength of the partnership between our organizations. This attack has demonstrated that when an attacker manages to steal credentials and bypass traditional endpoint solutions, NDR effectively bridges the gap.

Thwarting this attack also exemplifies the collaborative benefits derived from enthusiastic cooperation among our teams. Vectra offers the platform while Sanofi brings their unique use cases, which allows us to innovate together, solve problems, and exchange technical expertise.

As Sanofi continues to evolve its security operations and expand its cloud footprint, Jean-Yves and Richard shared that they’re looking forward to an ongoing partnership with us at Vectra. Jean-Yves commented, “Vectra brings their innovation and deep technical value. My team at Sanofi is bringing the solution feedback. And the combination is the path of progress and maturity.”

We wrapped up our conversation with an excellent Q&A session featuring questions submitted by the audience. Though we couldn’t respond to all the submissions live, we’ve answered all of them in them in this document, featuring Jean-Yves and Richard’s unedited comments.  

Get the full story on the methods used by cybercriminals to carry out the attack—leveraging LinkedIn, WhatsApp, and Microsoft Word—and how Sanofi used Detect and Recall from Vectra to stop the attack in its tracks.