Last week, a client reached out after two of their sales representatives received suspicious emails. The emails looked like shared document notifications from Microsoft. The links appeared legitimate. One employee clicked.
Within 48 hours, we helped them contain the incident, reset compromised credentials, and implement protections against the broader campaign. The attack they encountered is part of a sophisticated operation that has been running for at least five months, specifically targeting manufacturing, industrial automation, plastics, and healthcare organizations.
If your business operates in these sectors in Lancaster County, you should know what is happening and how to protect your teams.
The Campaign: What We Know
Security researchers at Socket disclosed details of this campaign in late December 2025. The operation involves 27 malicious packages published to the npm registry, a public repository used by software developers. But this is not a typical software supply chain attack.
The attackers are not targeting developers. They are using npm's content delivery network to host phishing pages that impersonate Microsoft login portals and document-sharing services. The phishing links are distributed via email to specific individuals at targeted companies.
Here is what makes this campaign unusual:
Targeted selection of victims. The phishing packages contain hardcoded email addresses for 25 specific individuals. These are not random targets. They are account managers, sales representatives, and business development staff at manufacturing and industrial organizations across the U.S., Canada, and Europe.
Industry focus. The campaign specifically targets manufacturing, industrial automation, plastics and polymer supply chains, and healthcare. These are sectors where credential theft could enable industrial espionage or serve as preparation for ransomware attacks.
Sophisticated evasion. The phishing pages include anti-analysis features: bot filtering, sandbox detection, and requirements for mouse or touch input before displaying content. This makes automated security scanning less effective.
Trusted infrastructure. By hosting content on npm's CDN, the attackers benefit from the domain's reputation. Links to npmjs.com and related CDN domains are less likely to be blocked by email filters.
Why Lancaster County Businesses Are at Risk
Lancaster County has one of the highest concentrations of manufacturing businesses in Pennsylvania. The county is home to hundreds of manufacturers in plastics, industrial components, food processing, and precision machinery. Many of these companies sell nationally and internationally through trade shows and direct sales teams.
The attackers behind this campaign appear to have gathered targeting information from trade shows and industry directories. Major events like Interpack and K-Fair were likely sources. Lancaster County manufacturers who exhibit at regional and national trade shows may have their sales staff in the attackers' crosshairs.
Consider the typical profile of a targeted individual:
- Works in sales, account management, or business development
- Email address is publicly listed on company websites or LinkedIn
- Has attended industry trade shows
- Regularly receives document sharing notifications as part of their work
This describes a significant portion of the customer-facing staff at local manufacturers.
How the Attack Works
The attack chain is straightforward but effective:
Step 1: Reconnaissance. Attackers identify target companies in manufacturing, industrial automation, plastics, or healthcare. They gather email addresses of sales and business development staff from trade show exhibitor lists, company websites, LinkedIn, and industry directories.
Step 2: Infrastructure setup. Attackers create npm packages containing phishing pages. These pages mimic Microsoft login screens and document sharing interfaces. The pages are hosted on npm's CDN, giving them the appearance of legitimacy.
Step 3: Phishing delivery. Targeted individuals receive emails with links to the phishing pages. The emails may appear to be document sharing notifications, meeting invitations, or customer inquiries. The links point to npmjs.com or its CDN, which many email filters trust.
Step 4: Credential capture. When victims enter their Microsoft 365 credentials on the phishing page, those credentials are sent to the attackers. The page may then redirect to a legitimate Microsoft service to avoid raising suspicion.
Step 5: Account compromise. With valid credentials, attackers can access email, SharePoint, Teams, and other Microsoft 365 services. From there, they can move laterally within the organization, access sensitive documents, or prepare for ransomware deployment.
What Compromised Credentials Enable
Credential theft is not the end goal. It is the beginning. Here is what attackers can do with compromised Microsoft 365 credentials:
Email access. Read all incoming and outgoing email. Access customer contracts, pricing documents, and business communications. Set up mail forwarding rules to maintain access even after password changes.
Document theft. Access SharePoint and OneDrive. Download customer lists, product specifications, manufacturing processes, and financial documents. In manufacturing, this information is valuable for industrial espionage.
Business email compromise. Send emails as the compromised user. Request fraudulent wire transfers from customers or vendors. Redirect legitimate payments to attacker-controlled accounts.
Lateral movement. Use internal email to phish other employees. Access shared resources across the organization. Identify high-value targets for further attacks.
Ransomware preparation. Map the organization's network and data. Identify backup systems. Position for maximum impact before deploying ransomware.
For a Lancaster County manufacturer, the consequences could include theft of proprietary processes, loss of customer data, fraudulent transactions, and ultimately ransomware that halts production.
Indicators to Watch For
Train your teams to recognize these warning signs:
Email red flags:
- Document sharing notifications you were not expecting
- Urgent requests to view files from unfamiliar senders
- Links that ask for Microsoft login credentials outside normal workflows
- Any email pushing urgency around file access
Technical indicators:
- Links to npmjs.com or similar CDN domains in unexpected contexts
- Login pages that require mouse movement before displaying
- Browser warnings about unusual certificate configurations
- URLs that do not match microsoft.com for Microsoft login prompts
Account anomalies:
- Login notifications from unfamiliar locations
- Email forwarding rules you did not create
- Sent emails you do not recognize
- Access to SharePoint or Teams at unusual times
If any of your staff encounter these indicators, treat it as a potential compromise. Speed matters.
Immediate Steps If You Suspect Compromise
If an employee clicked a suspicious link or entered credentials on an unfamiliar page:
1. Reset credentials immediately. Change the Microsoft 365 password. This does not fully secure the account but limits immediate access.
2. Revoke active sessions. In Microsoft 365 admin, revoke all active sessions for the user. This forces re-authentication everywhere.
3. Check for persistence mechanisms. Review inbox rules for forwarding or deletion rules you did not create. Check connected applications in the account settings. Attackers often set up persistence before victims realize something is wrong.
4. Review recent activity. Check sign-in logs for unfamiliar locations or devices. Review sent email for anything the user did not send. Check SharePoint and OneDrive access logs for unusual downloads.
5. Notify your IT team or security provider. If you have internal IT or work with a managed security provider, engage them immediately. The first 24 hours are critical for containment.
6. Consider broader exposure. If the compromised account had access to sensitive data, assume that data is compromised. If the account was used to email other employees, those employees may also be targeted.
Protective Measures for Lancaster County Businesses
Defending against targeted phishing requires multiple layers. No single control stops these attacks.
Enable Multi-Factor Authentication
MFA is the single most effective protection against credential theft. Even if an attacker captures a password, they cannot access the account without the second factor.
Recommendations:
- Enable MFA for all Microsoft 365 accounts, especially those with access to email and documents
- Use authenticator apps rather than SMS where possible
- Consider hardware security keys (FIDO2) for high-value accounts
Microsoft 365 Business Premium includes security defaults that enable MFA for all users. If you are on a lower tier, consider upgrading or implementing conditional access policies.
Implement Phishing-Resistant Authentication
Standard MFA can be bypassed by sophisticated real-time phishing attacks. Phishing-resistant authentication methods are more durable.
Options:
- Windows Hello for Business
- FIDO2 security keys
- Certificate-based authentication
These methods verify the identity of the service being accessed, not just the user. They prevent credential theft even when users interact with convincing phishing pages.
Train Staff on Phishing Recognition
Your sales and business development teams are the primary targets. They need specific training.
Focus areas:
- Recognizing unexpected document sharing notifications
- Verifying links before entering credentials
- Reporting suspicious emails immediately
- Understanding that attackers specifically target their roles
Training should be ongoing, not a one-time event. Regular simulated phishing exercises help maintain awareness.
Strengthen Email Security
Microsoft 365 includes built-in email protection, but default settings may not catch targeted attacks.
Configuration priorities:
- Enable Safe Links to rewrite and check URLs at click time
- Enable Safe Attachments for enhanced malware scanning
- Configure anti-phishing policies to detect impersonation attempts
- Review and tune spam filtering settings
If you are using Microsoft 365 Business Basic, consider upgrading to Business Premium for advanced threat protection features.
Monitor for Compromise Indicators
Detection matters when prevention fails.
Monitoring priorities:
- Unusual sign-in patterns (location, time, device)
- New inbox rules or email forwarding configurations
- Access to sensitive SharePoint sites from unfamiliar contexts
- Bulk file downloads from OneDrive or SharePoint
Microsoft 365 audit logs provide this visibility, but you need someone reviewing them. If you do not have internal IT capacity, work with a managed security provider.
Verify Your Backup and Recovery Capability
If this campaign is preparation for ransomware, backups are your last line of defense.
Questions to answer:
- Do you have offline or immutable backups of critical data?
- Can you restore operations from backup within an acceptable timeframe?
- Have you tested backup restoration recently?
- Are backup systems protected with separate credentials?
Ransomware operators specifically target backups. Your backup strategy should assume attackers have access to your production environment.
The Broader Threat Landscape
This campaign is part of a larger pattern. Ransomware attacks against small and medium businesses are increasing, with 88% of SMB breaches involving ransomware. The average recovery cost is $1.53 million, excluding ransom payments.
Manufacturing is particularly targeted. Attackers know that production downtime has immediate financial impact and that many manufacturers will pay to resume operations quickly.
Lancaster County's concentration of manufacturing businesses makes the region an attractive target. The question is not whether local businesses will be targeted, but whether they will be prepared.
What StencilWash Did for Our Client
When our client discovered the compromise, we worked with them on a structured response:
Immediate containment. We reset credentials, revoked sessions, and audited all forwarding rules and connected applications within hours of notification.
Investigation. We reviewed sign-in logs and email activity to determine the scope of access. In this case, the attackers had accessed the mailbox but had not yet moved laterally or exfiltrated significant data.
Remediation. We implemented MFA across their Microsoft 365 environment, configured advanced threat protection policies, and established monitoring for compromise indicators.
Training. We conducted targeted training with their sales team on recognizing phishing attempts and reporting suspicious activity.
The client avoided significant damage because they caught the compromise quickly and responded effectively. Not every organization is that fortunate.
Next Steps
If you operate a manufacturing, industrial, or healthcare business in Lancaster County:
- Verify MFA is enabled for all Microsoft 365 accounts, especially customer-facing staff
- Brief your sales team on this specific campaign and what to watch for
- Review email security settings in Microsoft 365
- Check backup systems to ensure you can recover from a ransomware event
- Establish an incident response contact so staff know who to call if something looks wrong
This campaign is active. The attackers have invested significant effort in targeting specific industries and individuals. They are not going to stop because their initial packages were discovered.
Preparation matters more than prediction. You cannot know exactly when or how an attack will come. You can ensure your organization is ready to detect, respond, and recover.
StencilWash helps Lancaster County businesses implement practical cybersecurity protections. If you want to assess your organization's exposure to targeted phishing campaigns, contact us.
Sources:
Focused on security, resilience, and winning under pressure.