R2.2 billion. That’s what South African businesses lost to cybercrime in 2025, according to SAPS. 90% started with one of these 3 attacks.
We responded to 47 incidents last year. Here’s exactly how they got in, and how to block them in 30 minutes.
Threat #1: Phishing + MFA Fatigue (60% of cases)
How it works: You get a real-looking “Microsoft: Unusual sign-in” email. You click, enter password + approve the MFA push because you’re busy. Attacker is in.
Real SA example: Pretoria accounting firm, March 2026. Attacker logged in at 2am, created inbox rule to delete invoices, sent fake EFT details to 3 clients. Lost R380k before detection.
1. Azure AD > Security > Authentication methods > Disable SMS/Voice. Force Authenticator app only.
2. Conditional Access > Block logins outside SA if you don’t operate internationally.
3. Enable “Number matching” in MFA. User must type 2-digit code from screen. Stops fatigue attacks.
Threat #2: RDP Brute-Force (25% of cases)
How it works: Your server/firewall has Remote Desktop exposed to internet on port 3389. Bots try 10,000 passwords/day. Eventually one works.
Real SA example: Centurion manufacturer. RDP open for “work from home”. Attacker in, encrypted entire server, R850k ransom. No backups. 3 weeks downtime.
1. Close port 3389 on firewall immediately. Use VPN + RDP or Azure Virtual Desktop.
2. If you must use RDP: Change port, restrict to SA IP ranges, enable account lockout after 3 failures.
3. Check: shodan.io search “port:3389 country:ZA” to see if you’re exposed.
Threat #3: Fake Invoice / CEO Fraud (15% of cases)
How it works: Attacker compromises supplier OR your email. Sends invoice with their banking details. Your finance pays it. Only caught at month-end.
Real SA example: Midrand logistics. Attacker spoofed CEO email, told finance “urgent payment to new supplier”. R120k gone. Bank couldn’t reverse.
1. Exchange Admin > Mail flow > Create rule: If sender = CEO but from outside org, quarantine + alert IT.
2. Finance policy: Any change of banking details requires phone call to known number. No exceptions.
3. Enable SPF/DKIM/DMARC on your domain. Blocks 90% of spoofing.
The 1 Setting That Stops 90% of This
Conditional Access + MFA with number matching. If an attacker has your password but can’t pass MFA, they’re locked out. Takes 15 minutes to configure.
Don’t have Azure AD P1? You get it with Microsoft 365 Business Premium. If you’re on Business Basic/Standard, you’re exposed.
Not Sure If You’re Protected?
We’ll run a free 15-minute scan: check RDP exposure, MFA gaps, and phishing risk. No sales pitch.
Book Free R950 Security CheckWant the full checklist? Download the 12-point M365 Security PDF with PowerShell scripts to verify your setup.