Back to Intelligence

Xsolis Data Breach: Social Engineering Attack Chain and Healthcare Defense

SA
Security Arsenal Team
June 23, 2026
6 min read

Healthcare technology firm Xsolis has confirmed a significant security incident resulting in the compromise of sensitive data for approximately 1.4 million individuals. The attack vector was identified as a sophisticated social engineering operation that allowed threat actors to bypass standard perimeter defenses and gain access to the corporate network.

For defenders in the healthcare sector, this breach is a critical reminder that technical controls alone are insufficient against adversaries targeting the human element. The exposure of Protected Health Information (PHI) triggers not only severe regulatory scrutiny under HIPAA but also poses substantial risks to patient safety through potential identity theft and insurance fraud. Immediate action is required to audit identity controls, validate user activity, and harden endpoints against the initial access mechanisms commonly employed in these campaigns.

Technical Analysis

Attack Vector: Social Engineering (Human Intelligence/Spear-phishing or Vishing).

Affected Entity: Xsolis (Healthtech/Healthcare AI).

Attack Chain Breakdown:

  1. Initial Access: Attackers utilized social engineering tactics—likely involving credential harvesting or MFA fatigue techniques—to deceive employees. This resulted in the compromise of valid credentials or session tokens, allowing the attackers to authenticate as legitimate users.
  2. Network Access: Once authenticated, the actors accessed internal systems. The lack of specific CVE details in the disclosure suggests the compromise leveraged legitimate access tools rather than an software exploit, highlighting a failure in identity validation or access governance.
  3. Data Exfiltration: The attackers navigated the network to locate and exfiltrate sensitive PII and PHI belonging to 1.4 million individuals.

Exploitation Status: Confirmed Active Exploitation. The breach has been verified by the company, with data exposure confirmed. No specific CVE was cited, indicating the vulnerability was procedural or human-based rather than a software flaw.

Detection & Response

Given that the entry point was social engineering, detection relies heavily on identifying the post-compromise actions typically executed after a user is phished. This includes suspicious process execution chains initiated from office productivity suites or unusual authentication patterns.

SIGMA Rules

The following rules target the common "follow-on" behavior observed in social engineering attacks, specifically the abuse of Microsoft Office applications to launch scripts or perform reconnaissance.

YAML
---
title: Suspicious PowerShell Spawn from Office Application
id: 8a2c1b3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects when Microsoft Office products (Word, Excel, PowerPoint) spawn a PowerShell process. This is a common tactic used in macro-based social engineering attacks to establish a foothold.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
      - '\OUTLOOK.EXE'
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts run by IT staff (rare from Office apps)
level: high
---
title: Suspicious Mshta Execution via Browser or Email
description: Detects the execution of mshta.exe initiated by a browser or email client. Mshta is frequently used in social engineering campaigns to execute malicious code via HTML Application (HTA) files.
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
references:
  - https://attack.mitre.org/techniques/T1218/005/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1218.005
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\mshta.exe'
    ParentImage|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\OUTLOOK.EXE'
  condition: selection
falsepositives:
  - Legacy web applications requiring HTA components (should be cataloged)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for suspicious process creation patterns often seen immediately after a user interacts with a social engineering lure, specifically looking for encoded commands common in phishing payloads.

KQL — Microsoft Sentinel / Defender
let SuspiciousParents = dynamic(["WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE", "chrome.exe", "msedge.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (SuspiciousParents)
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has "-EncodedCommand" 
   or ProcessCommandLine has "FromBase64String" 
   or ProcessCommandLine has "IEX" 
   or ProcessCommandLine has "Invoke-Expression"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for processes spawned by common office applications that are indicative of macro-based social engineering payloads.

VQL — Velociraptor
-- Hunt for suspicious child processes of Office applications
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Pid in (
    SELECT Pid FROM pslist()
    WHERE Name =~ "WINWORD.EXE" 
       OR Name =~ "EXCEL.EXE" 
       OR Name =~ "POWERPNT.EXE"
)
AND Name =~ "powershell.exe" 
   OR Name =~ "cmd.exe" 
   OR Name =~ "mshta.exe"

Remediation Script (PowerShell)

This script helps audit and enforce Attack Surface Reduction (ASR) rules that specifically mitigate social engineering attack vectors, such as Office applications creating child processes.

PowerShell
# Audit and enable ASR rules to mitigate Social Engineering vectors

Write-Host "[+] Auditing Attack Surface Reduction (ASR) Rules..." -ForegroundColor Cyan

# Rule GUID: Block Office applications from creating child processes
$BlockOfficeChildProcess = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"
# Rule GUID: Block Win32 API calls from Office macro
$BlockWin32APIMacro = "92E97FA1-2EDF-44AC-BECE-A7A2CA8E3152"

$RulesToEnforce = @($BlockOfficeChildProcess, $BlockWin32APIMacro)

foreach ($RuleID in $RulesToEnforce) {
    $CurrentState = (Get-MpPreference).AttackSurfaceReductionRules_Ids | Where-Object { $_ -eq $RuleID }
    $ActionState = (Get-MpPreference).AttackSurfaceReductionRules_Actions | 
                   Where-Object { $_ -eq 1 } # 1 = Block, 0 = Audit, 6 = Warn

    if ($CurrentState -eq $RuleID) {
        Write-Host "[+] Rule $RuleID is currently active." -ForegroundColor Green
    } else {
        Write-Host "[-] Rule $RuleID is NOT active. Enabling..." -ForegroundColor Yellow
        try {
            Add-MpPreference -AttackSurfaceReductionRules_Ids $RuleID -AttackSurfaceReductionRules_Actions 1
            Write-Host "[+] Successfully enabled Rule $RuleID." -ForegroundColor Green
        }
        catch {
            Write-Host "[!] Failed to enable rule: $_" -ForegroundColor Red
        }
    }
}

Write-Host "[+] ASR Audit Complete." -ForegroundColor Cyan


# Remediation

To defend against the social engineering tactics observed in the Xsolis breach and prevent similar compromises, implement the following measures immediately:

1.  **Enforce Phishing-Resistant MFA:** Move beyond basic SMS or token-based MFA. Implement **FIDO2/WebAuthn** security keys or **Number Matching** in Microsoft Authenticator. This significantly raises the bar for attackers attempting to use credentials harvested via social engineering.

2.  **Implement Strict Conditional Access Policies:** Configure Conditional Access (e.g., in Entra ID) to require compliant devices and trusted locations for access to sensitive health data systems. Block access from impossible travel contexts or anonymizing VPNs.

3.  **Disable Macro Execution:** Ensure that macros are disabled by default for all users via Group Policy or cloud security policy. Macros remain a primary initial access vector for social engineering attacks.

4.  **Enable ASR Rules:** Deploy Attack Surface Reduction (ASR) rules specifically:
    *   "Block Office applications from creating child processes"
    *   "Block Win32 API calls from Office macro"
    *   "Block Adobe Reader from creating child processes"

5.  **User Awareness Training:** Conduct targeted social engineering simulations focusing on the specific lures relevant to healthcare operations (e.g., patient data inquiries, insurance claim updates).

**Vendor Advisory:**

Refer to the official Xsolis disclosure and breach notification letters for specific timelines and services affected. If you are a customer of Xsolis, rotate API keys and service account credentials immediately, even if not explicitly instructed, as these are high-value targets in such breaches.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirxsolissocial-engineeringhealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action