Signs Your Small Business Network Has Been Compromised

Something feels off. Computers are slower than usual, an employee got locked out of their account for no reason, or your firewall logs show traffic to a country you do not do business with. Maybe it is nothing. Maybe it is not. The tricky part about network compromises is that the signs are often subtle, and by the time they become obvious, the attacker has already been inside for weeks. Here are the warning signs that your business network may have been compromised, and what to do about each one. Detection is the back half of the problem – the front half is making sure the network is hardened in the first place, which the network security checklist for small business walks through item by item.

Unexplained Slowness Across Multiple Machines

A single slow computer is usually a hardware or software issue. Multiple machines slowing down at the same time is a different story. Attackers running processes in the background, whether they are exfiltrating data, mining cryptocurrency, or staging files for encryption, consume CPU, memory, and network bandwidth. If your team is reporting that “everything is slow today” and there is no obvious cause like a large Windows update rolling out or a backup job running, it is worth investigating.

Open Task Manager on affected machines and look for processes using high CPU or memory that you do not recognize. Pay attention to processes with generic or slightly misspelled names. Malware frequently disguises itself as legitimate Windows processes, with names like svchost.exe running from the wrong directory or csrss.exe with unusual parent processes. If you see a process consuming significant resources and you cannot explain what it does, do not kill it yet. Document it first, including the process name, file path, CPU and memory usage, and any network connections it has open. That information will be valuable if you need to bring in help later.

Network slowness specifically can indicate data exfiltration. If your internet connection feels throttled but your ISP reports no issues, check your router or firewall for unusual bandwidth usage. An attacker quietly copying your file server to an external location will saturate your upload bandwidth in ways that are noticeable but easy to misattribute to a “bad internet day.”

Locked Accounts and Password Reset Requests

If employees are getting locked out of accounts they did not try to log into, someone else may be trying those credentials. Brute-force and credential-stuffing attacks trigger account lockouts when the attacker guesses wrong enough times. A sudden spike in lockouts across the organization, especially for admin or service accounts, is a serious red flag.

Check your Active Directory logs for Event ID 4740 (account lockout) and 4625 (failed logon). Look at the source IP addresses. If the failed attempts are coming from an internal IP that should not be making those requests, you may already have an attacker inside your network performing lateral movement. They are trying credentials they harvested from one machine against other machines to expand their access.

Also watch for password changes that users did not initiate. If an employee reports that their password was changed and they did not do it, that account has likely been compromised. The attacker changed the password to lock the legitimate user out while they use the account. This is especially dangerous with admin accounts, where a password change gives the attacker sustained elevated access.

Unexpected Outbound Network Traffic

Your network should have predictable traffic patterns. Employees browse the web, use cloud apps, and send email during business hours. If your firewall or router logs show large volumes of data leaving your network during off hours, connections to IP addresses in regions you have no business relationship with, or sustained outbound traffic from a server that normally only receives inbound connections, that is worth investigating immediately.

Data exfiltration often happens slowly and quietly. Attackers know that a massive one-time transfer will trigger alarms, so they trickle data out over days or weeks in small chunks. Look for patterns rather than single events. A server sending 500 MB to an external IP every night at 3 AM is not normal maintenance. Similarly, watch for DNS queries to unusual domains. Some malware uses DNS tunneling to exfiltrate data, encoding stolen information in the subdomain portion of DNS queries to domains the attacker controls. These requests look like normal DNS traffic unless you are specifically looking for high volumes of queries to unfamiliar domains.

If you have a firewall that logs outbound connections, review the destination IPs for anything unexpected. Free threat intelligence services can help you check whether an IP address is associated with known malicious activity.

Suspicious Login Activity

Review your login logs regularly. Warning signs include logins at unusual hours (3 AM on a Saturday from an account that belongs to a 9-to-5 employee), logins from geographic locations where you have no staff, multiple accounts logging in from the same IP in rapid succession, and successful logins immediately following a series of failures.

If you use Microsoft 365, the Sign-In Logs in Azure AD (now Entra ID) show login times, locations, device info, and whether MFA was triggered. Pay particular attention to logins that bypassed MFA or used legacy authentication protocols, which do not support MFA. Attackers specifically target legacy protocols for this reason, which is why blocking legacy auth and hardening your M365 tenant is critical, along with having detection beyond MFA. For on-premises systems, Windows Security Event Log entries 4624 (successful logon) and 4625 (failed logon) are your primary source.

A pattern worth watching for is “impossible travel,” where the same account logs in from two geographic locations that are too far apart for the user to have physically traveled between them in the time gap. If an account logs in from Philadelphia at 2 PM and from Moscow at 2:30 PM, one of those logins is not the legitimate user.

New or Unknown User Accounts

Attackers who gain admin access often create their own accounts as a backdoor. These accounts let them get back in even if you change the password on the account they originally compromised. Check your Active Directory and any cloud admin consoles for accounts you do not recognize, especially accounts with elevated privilages.

Look specifically for accounts created recently, accounts added to admin groups, and accounts with names that blend in with your naming convention. An attacker who has been in your environment long enough to learn your naming scheme will create accounts like jsmith-admin or svc-backup that look legitimate at a glance. Run a report of all accounts created in the last 30 to 90 days and verify each one with whoever is responsible for account provisioning.

Service accounts deserve special scrutiny. They often have elevated permissions and are rarely monitored. If a service account that normally logs in from one server is suddenly logging in from workstations, that is a strong indicator of compromise.

Disabled Security Tools

If your antivirus is suddenly off on one or more machines, or your EDR agent has been uninstalled, treat it as a compromise until proven otherwise. One of the first things an attacker does after gaining access is disable security tooling. They need to operate freely, and active security software gets in the way. Disabling security tools is so common in attack playbooks that it should be considered a high-confidence indicator of compromise.

Check your security dashboard for agents that have stopped reporting. Most EDR and antivirus platforms have a “last seen” timestamp for each endpoint. If a machine has not checked in for 24 hours and it is supposed to be online, investigate. The same applies to firewall rules that have been modified or logging that has been turned off on a server. Windows Event Log services being stopped, audit policies being changed, or log files being cleared are all signs that someone is covering their tracks.

If your organization uses Group Policy to enforce security settings, check whether any policies have been modified. An attacker with domain admin access can change Group Policy to disable security tools across the entire network in one move.

Strange Email Behavior

Compromised email accounts are one of the most common attack outcomes, and phishing is how most of them start. Signs include emails in the Sent folder that the user did not send, mail forwarding rules the user did not create, contacts receiving phishing emails that appear to come from the user, and the user being unable to log in because the password was changed.

In Microsoft 365, check the mailbox audit logs and look at inbox rules for any account you suspect. Attackers frequently create forwarding rules to send a copy of all incoming email to an external address. They also create rules that automatically move or delete certain emails so the account owner does not notice the impersonation. A rule that deletes all replies from a specific domain, for example, could hide an ongoing business email compromise where the attacker is redirecting invoice payments.

Business Email Compromise (BEC) is one of the most financially damaging forms of cybercrime. The FBI reports that BEC attacks account for billions in losses annually. If an attacker has access to an executive’s email account, they can impersonate that person to request wire transfers, change payment details with vendors, or access sensitive business information. The damage from a compromised email account often extends far beyond the mailbox itself.

Ransomware Indicators Before Full Encryption

Ransomware rarely strikes without warning. If encryption has already started, follow our step-by-step ransomware recovery guide immediately. Understanding how ransomware gets into small business networks in the first place can help you close the door before it reaches this stage. But in the days or weeks before encryption, attackers are moving through your network, escalating privileges, and identifying backup systems. Warning signs during this phase include unexpected Remote Desktop Protocol (RDP) sessions between machines, new scheduled tasks you did not create, PowerShell scripts running on machines where they normally would not, and attempts to access or delete backup files or shadow copies.

Shadow copy deletion is one of the strongest ransomware precursors. Windows Volume Shadow Copy Service (VSS) maintains automatic snapshots that could be used to recover encrypted files. Ransomware operators delete these before deploying the payload. If you see vssadmin commands being run outside of a known maintenance window, investigate immediately.

If you catch ransomware in this pre-encryption phase, you can prevent the payload from ever running. This is the phase where 24/7 monitoring pays for itself many times over.

What to Do If You See These Signs

If you observe any combination of the signs above, do not ignore them and hope they go away. Here is what to do:

1. Document what you see. Screenshots, timestamps, affected machines, and the specific symptoms. This documentation will be critical for any forensic investigation.
2. Isolate suspicious machines from the network. Unplug the Ethernet, disable Wi-Fi. Do not power them off, as live memory may contain evidence.
3. Check your backups. Verify they are accessible and clean before you need them.
4. Review logs. Active Directory, firewall, email audit logs, and EDR dashboards will tell you more about what is happening. After the immediate response, a structured network assessment is the cheapest way to find out how the attacker got in and what other gaps still exist.
5. Preserve evidence. Do not wipe or rebuild machines until someone qualified has had a chance to examine them. Destroying evidence makes it harder to understand what happened and close the entry point.
6. Call for help if you are in over your head. There is no shame in bringing in an incident response team. The cost of a delayed response is almost always higher than the cost of professional help.

When to Bring in a Managed Security Provider

If your internal IT team is stretched thin and security monitoring is something that happens when someone remembers to check, you are relying on luck. The signs described in this article are things that a Managed Detection and Response (MDR) provider monitors for continuously. Unusual login patterns, unexpected network traffic, disabled security agents, and lateral movement all generate alerts that get investigated in real time by analysts whose only job is security.

The difference between catching a compromise in its first hours versus its first weeks is often the difference between a contained incident and a catastrophic breach. Most SMBs do not have the staffing or expertise to watch for these signs around the clock. That is not a failure. It is a recognition that security monitoring is a specialized function that benefits from dedicated resources.

Sequentur provides managed security monitoring and incident response for small and mid-sized businesses. If something in this article sounds familiar and you are not sure where to start, you can reach us through our contact page to walk through what you are seeing.